gpg failed to sign the data fatal: failed to write commit object [Git 2.10.0]

If gnupg2 and gpg-agent 2.x are used, be sure to set the environment variable GPG_TTY.

export GPG_TTY=$(tty) 

See GPG’s documentation about common problems.

GIT_TRACE=1 shows what git is actually doing:

$ GIT_TRACE=1 git commit -m "example commit message" 20:52:58.902766 git.c:328 trace: built-in: git 'commit' '-vvv' '-m' 'example commit message' 20:52:58.918467 run-command.c:626 trace: run_command: 'gpg' '--status-fd=2' '-bsau' '23810377252EF4C2' error: gpg failed to sign the data fatal: failed to write commit object 

Now run the failing command manually:

$ echo "dummy" | gpg -bsau 23810377252EF4C2 gpg: skipped "23810377252EF4C2": Unusable secret key gpg: signing failed: Unusable secret key 

Turns out that my key was expired, and git was not to blame.

Follow the below url to setup signed commit https://help.github.com/en/articles/telling-git-about-your-signing-key

if still getting gpg failed to sign the data fatal: failed to write commit object

this is not issue with git ,this is with GPG follow below steps

1. gpg --version
2. echo "test" | gpg --clearsign

if it is showing:

gpg: signing failed: Inappropriate ioctl for device gpg: [stdin]: clear-sign failed: Inappropriate ioctl for device 

3. then use export GPG_TTY=$(tty)

4. then again try echo "test" | gpg --clearsign in which PGP signature is got.

5. git config -l | grep gpg

gpg.program=gpg commit.gpgsign=true 

6. apply git commit -S -m "commitMsz"

I've DONE it through this short and easy recipe:

UPDATE for the era of LLMs

Start from: export GPG_TTY=$(tty)

If no success, then: killall pgp-agent

Auto-sign commits on macOS (Globally and with different IDEs):

Get your signingkey in this way.

brew install gnupg gnupg2 pinentry-mac git config --global user.signingkey <YOUR_SIGNING_KEY> git config --global commit.gpgsign true git config --global gpg.program gpg 

Put the following in gpg.conf file (edit file with nano ~/.gnupg/gpg.conf command):

no-tty 

Put the following in gpg-agent.conf file (edit file with nano ~/.gnupg/gpg-agent.conf command):

pinentry-program /usr/local/bin/pinentry-mac 

Update:

As suggested in the comments, you might need to execute killall gpg-agent command after editing the configurations file, gpg.conf, according to the comments. needless to say that this command will terminate the GPG (Gnu Privacy Guard) agent.

May help killing process gpg-agent that might stuck with old data. So new gpg-agent started would ask for password.

To anybody who is facing this issue on MacOS machines, try this:

1. brew uninstall gpg
2. brew install gpg2
3. brew install pinentry-mac (if needed)
4. gpg --full-generate-key Create a key by using an algorithm.
5. Get generated key by executing: gpg --list-keys
6. Set the key here git config --global user.signingkey <Key from your list>
7. git config --global gpg.program $(which gpg)
8. git config --global commit.gpgsign true
9. If you want to export your Key to GitHub then: gpg --armor --export <key> and add this key to GitHub at GPG keys: https://github.com/settings/keys (with START and END line included)

If the issue still exists:

test -r ~/.bash_profile && echo 'export GPG_TTY=$(tty)' >> ~/.bash_profile

echo 'export GPG_TTY=$(tty)' >> ~/.profile

If the issue still exists:

Install https://gpgtools.org and sign the key that you used by pressing Sign from the menu bar: Key->Sign

If the issue still exists:

Go to: ‎⁨your global .gitconfig file which in my case is at: ‎⁨/Users/gent/.gitconfig And modify the .gitconfig file (please make sure Email and Name are the same with the one that you have created while generating the Key):

[user] email = [email protected] name = Gent signingkey = <YOURKEY> [gpg] program = /usr/local/bin/gpg [commit] gpsign = true gpgsign = true [filter "lfs"] process = git-lfs filter-process required = true clean = git-lfs clean -- %f smudge = git-lfs smudge -- %f [credential] helper = osxkeychain 

My two cents here:

When you create and add a key to gpg-agent you define something called passphrase. Now that passphrase at some point expires, and gpg needs you to enter it again to unlock your key so that you can start signing again.

When you use any other program that interfaces with gpg, gpg's prompt to you to enter your passphrase does not appear (basically gpg-agent when daemonized cannot possibly show you the input dialog in stdin).

One of the solutions is gpg --sign a_file.txt then enter the passphrase that you have entered when you created your key and then everything should be fine (gpg-agent should automatically sign)

See this answer on how to set longer timeouts for your passphrase so that you do not have to do this all the time.

Or you can completely remove the passphrase with ssh-keygen -p

Edit: Do a man gpg-agent to read some stuff on how to have the above happen automatically and add the lines:

GPG_TTY=$(tty) export GPG_TTY 

on your .bashrc if you are using bash(this is the correct answer but I am keeping my train of thought above as well) then source your .bashrc file or relogin.

I've seen similar answers, but nothing exactly like what worked for me. On Linux, I had to kill and restart my gpg-agent with:

$ pkill gpg-agent $ gpg-agent --daemon $ git commit ... 

This did the trick for me. It looks like you do need to have user.signingkey set to your private key as well from what some other comments are saying.

$ git config --global user.signingkey [your_key_hash] 

On OS X, using gnupg2 via brew I just had to kill the gpg agent, happens sometimes:

pkill -9 gpg-agent 

And set the env variable if needed:

export GPG_TTY=$(tty) 

See Common GPG problems also and this answer here too.

I get that error every time I logout then login again on my macOS. The solution is just a simple single command:

killall gpg-agent 

I think it's just an error from gpg agent, kill it then working again.

The git trace was very revealing for my situation...

 GIT_TRACE=1 git commit -m "a commit message" 

 13:45:39.940081 git.c:344 trace: built-in: git commit -m 'a commit message' 13:45:39.977999 run-command.c:640 trace: run_command: gpg --status-fd=2 -bsau 'full name <[email protected]>' error: gpg failed to sign the data fatal: failed to write commit object 

I needed to generate an initial key per the format that git was checking against. It's best to copy the value passed to -bsau above in the logs as is and use below.

So it becomes,

 gpg --quick-generate-key "full name <[email protected]>" 

Then it worked.

Update Oct. 2016: issue 871 did mention "Signing stopped working in Git 2.9.3"

Git for Windows 2.10.1 released two days ago (Oct. 4th, 2016) has fixed Interactive GPG signing of commits and tag.

the recent gpg-sign change in git (which introduces no problem on Linux) exposes a problem in the way in which, on Windows, non-MSYS2-git interacts with MSYS2-gpg.

Original answer:

Reading "7.4 Git Tools - Signing Your Work", I assume you have your "user.signingkey" configuration set.

The last big refactoring (before Git 2.10) around gpg was in commit 2f47eae2a, here that error message was moved to gpg-interface.c

A log on that file reveals the recent change in commit af2b21e (Git 2.10)

gpg2 already uses the long format by default, but most distributions seem to still have "gpg" be the older 1.x version due to compatibility reasons. And older versions of gpg only show the 32-bit short ID, which is quite insecure.

This doesn't actually matter for the verification itself: if the verification passes, the pgp signature is good.
But if you don't actually have the key yet, and want to fetch it, or you want to check exactly which key was used for verification and want to check it, we should specify the key with more precision.

So check how you specified your user.signingkey configuration, and the version of gpg you are using (gpg1 or gpg2), to see if those have any effect on the error message.

There is also commit 0581b54 which changes the condition for the gpg failed to sign the data error message (in complement to commit 0d2b664):

We don't read from stderr at all currently. However, we will want to in a future patch, so this also prepares us there (and in that case gpg does write before reading all of the input, though again, it is unlikely that a key uid will fill up a pipe buffer).

Commit 4322353 shows gpg now uses a temporary file, so there could be right issues around that.

Let's convert to using a tempfile object, which handles the hard cases for us, and add the missing cleanup call.

I got this error on Ubuntu 18.04 and it turned out that my key was expired.

To see this, I ran this and it confirmed that my keys were expired:

gpg --list-keys 

To correct this, I ran (using the ID displayed in the previous command):

gpg --edit-key <ID> 

From there, I extended the expiration of key 0 and key 1 following these instructions which boiled down to typing key 0 then expire and following the prompts. Then repeating for key 1.

Afterward, to test this, I ran:

echo test | gpg --clearsign 

And before the fix, it failed with the error:

gpg: no default secret key: No secret key
gpg: [stdin]: clear-sign failed: No secret key

But after the fix, the same command successfully signed the message so I knew things were working again!

Using cygwin, I recently switched to gpg2. Then I had the same problem for signing with git after setting git config gpg.program gpg2.

Try echo "test" | gpg2 --clearsign to see whether gpg2 is working. I found it the easiest solution to just set git config gpg.program gpg, because that works. But you will also get a better error this way - e.g. that you need to install pinentry.

If you use homebrew on a M1 chip without Rosetta, you need to specify a different location of the pinentry-program binary because it's installed at a different place.

Andy Hayden's updated answer should be modified as follow:

brew upgrade gnupg # This has a make step which takes a while arch -arm64 brew link --overwrite gnupg arch -arm64 brew install pinentry-mac echo "pinentry-program /opt/homebrew/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf killall gpg-agent 

Might be a hanging gpg-agent.

Try gpgconf --kill gpg-agent as discussed here

I am using M1 Mac, where I have tried above most common of the solutions and didn't work, my problem was that GPG binary missing here => usr/local/bin

Originally, I installed GPG via brew and I tried re-installing it but couldn't find the binary where it stored, later I installed GPG Suite GUI from here => GPG Suite Tools and it worked.

Finally, I can sign-in commit and get verify badge on Github.

After searching a lot, I found that gpg key was the issue in my case.

To check if gpg key is an issue for you, first check output of the following:

GIT_TRACE=1 git commit -m 'message' 

If something is wrong then you will see something like:

10:37:22.346480 run-command.c:637 trace: run_command: gpg --status-fd=2 -bsau <your GPG key> 

It was showing my name and email in GPG key here but this should have the key. You can try running gpg --status-fd=2 -bsau <your GPG key>

To update your correct key, do the following: check key using: gpg --list-secret-keys --keyid-format=long

It should have the following output:

/Users/hubot/.gnupg/secring.gpg ------------------------------------ sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10] uid Hubot ssb 4096R/42B317FD4BA89E7A 2016-03-10 

And then update the key using:

git config --global user.signingkey 3AA5C34371567BD2 

Now check the commit again and it should success if key was the issue. You need to set the passphrase to update the key which you can do using GitHub docs.

More details are at: https://gist.github.com/paolocarrasco/18ca8fe6e63490ae1be23e84a7039374

I must have accidentally updated gpg somehow because I got this after trying to test if gpg works:

gpg: WARNING: server 'gpg-agent' is older than us (2.1.21 < 2.2.10) gpg: Note: Outdated servers may lack important security fixes. gpg: Note: Use the command "gpgconf --kill all" to restart them. 

Running gpgconf --kill all fixed it for me.

I stumbled upon this error not because of any configuration issue, but because my key was expired. The easiest way to extend its validity on OSX is to open the GPG Keychain app (if you have it installed) and it will automatically prompt you to extend it. Two clicks, and you're done.

I had the same error , after VSCode update. Although my security commit was working fine, after update of VSCode I got this error:

error: gpg failed to sign the data fatal: failed to write commit object 

The only thing that restored the functionality was this command:

echo "test" | gpg --clearsign 

The command returned error with this:

gpg: signing failed: Screen or window too small gpg: [stdin]: clear-sign failed: Screen or window too small 

After increasing the terminal i was able to type my pass phrase. Very bizzare situation.

I found it very helpful to check what git commit is doing under the hood. Run the following commit with GIT_TRACE=1 as follow:

GIT_TRACE=1 git commit -S -m "MESSAGE" 

This will show what user name, email and signing key git uses when committing.

In my case, I found that git was picking up the wrong user's and key details for signing the commit. I mainly intended to use the local config of the repo rather than the global and adding the following to the local git config (located at "REPO_PATH/.git/config") got signing the commit to work both in Terminal and VSCode

[user] name = USER NAME email = USER EMAIL signingKey = SIGNING KEY 

It can also be set with the following:

git config --local user.name "USER NAME" git config --local user.email "USER EMAIL" git config --local user.signingkey "USIGNING KEY" 

I ran into the same problem. I'm happy to report that the issue lies not with git 2.10.0 but with gnupg 1.4.21.

Temporarily downgrading gnupg to 1.4.20 fixed the issue for me.

If you're using homebrew and you upgraded your packages like I did, you can probably just run brew switch gnupg 1.4.20 to revert back.

Make sure you have your email set properly.

git config --global user.email "[email protected]" 

In my case, the problem was with the relative name of gpg inside ~/.gitconfig. I changed it to this and the problem disappeared (Monterey, Macbook M1):

[gpg] program = /opt/homebrew/bin/gpg 

The explanation is simple: when git is trying to run gpg it does it in a new shell, without running ~/.profile where I configure PATH for homebrew. So, it simply can't find gpg at all.

Solution work for me is :

• Firstly I tried to get details about why this is NOT working. Try below cmd on terminal

 $ echo "Hello" > test.txt $ gpg --sign --default-key <your-email-id> test.txt 

• Observed error with details : gpg: signing failed: No pinentry

gpg-agent[59045]: can't connect to the PIN entry module '/usr/local/bin/pinentry': IPC connect call failed gpg-agent[59045]: failed to unprotect the secret key: No pinentry 

• From terminal I hit below cmd :

 cat ~/.gnupg/gpg-agent.conf 

• Check if below statement is present. Need to add if not present in gpg-agent.conf

pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac

• After adding pinentry path, Run

 $ gpgconf --kill gpg-agent $ gpg --sign --default-key <your-email-id> test.txt 

• See the output :

 gpg: using <your-email-id> as default secret key for signing 

If the email assoicated to your GPG key's uid is different to the email you are using in git, you'll need to add another user id to your key OR use a key which email matches exactly.

You can add another UID by using:

$ gpg --edit-key

See for mo https://superuser.com/questions/293184/one-gnupg-pgp-key-pair-two-emails

The answers above are great but they did not work for me. What solved my issue was exporting both the public and secret keys.

list the keys from machine where we are exporting from

$ gpg --list-keys /home/user/.gnupg/pubring.gpg -------------------------------- pub 1024D/ABCDFE01 2008-04-13 uid firstname lastname (description) <[email protected]> sub 2048g/DEFABC01 2008-04-13 

export the keys

$ gpg --output mygpgkey_pub.gpg --armor --export ABCDFE01 $ gpg --output mygpgkey_sec.gpg --armor --export-secret-key ABCDFE01 

go to machine we are importing to and import

$ gpg --import ~/mygpgkey_pub.gpg $ gpg --allow-secret-key-import --import ~/mygpgkey_sec.gpg 

bingo bongo, you're done!

reference: https://www.debuntu.org/how-to-importexport-gpg-key-pair/

ps. My keys were originally made on bootcamp windows 7 and I exported them onto my mac air (same physical machine, different virtually)

This started happening all of a sudden for me on Ubuntu, not sure if some recent update did it, but none of the existing issues were applicable for me (I had GPG_TTY set, tried killing the agent etc.). The standalone gpg command was failing with this error:

$ echo "test" | gpg --clearsign -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 test gpg: signing failed: Operation cancelled gpg: [stdin]: clear-sign failed: Operation cancelled 

I tried running gpg with --debug-all option and noticed the below output:

gpg: DBG: chan_3 <- INQUIRE PINENTRY_LAUNCHED 27472 gnome3 1.1.0 /dev/pts/6 screen-256color - gpg: DBG: chan_3 -> END gpg: DBG: chan_3 <- ERR 83886179 Operation cancelled <Pinentry> gpg: signing failed: Operation cancelled 

The above indicates that there is some issue with the pinentry program. Gpg normally runs pinentry-curses for me, so I changed it to pinentry-tty (I had to aptitude install it first) and the error went away (though I no longer get the fullscreen password entry, but I don't like that anyway). To make this change, I had to add the line pinentry-program /usr/bin/pinentry-tty to ~/.gnupg/gpg-agent.conf and kill the agent with gpgconf --kill gpg-agent (it gets restarted the next time).