27

Currently, I use 2 emails, (Personal + Company) with one SSH key to log in to GitHub. But I use the same GPG key for signing. Both are verified on my GitHub Email Settings page.

On the first one (personal), no issue, when I do a commit it appears as Verified. On the second one (company), the commits appear as Unverified in GitHub with the following warning message:

The email in this signature doesn’t match the committer email.

$ gpg --list-secret-keys --keyid-format LONG ... sec rsa4096/MY_GPG_KEY_ID 2020-05-19 [SC] [expires: 2022-05-19] ... uid [ultimate] Furkan (Company key) <[email protected]> uid [ultimate] Furkan <[email protected]>

In the repository:

$ git log --show-signature ... gpg: Good signature from "Furkan (Company key) <[email protected]>" [ultimate] gpg: aka "Furkan <[email protected]>" [ultimate] Author: MyGitHubNickname <[email protected]> ...

Local config settings:

$ git config --local --list ... user.name=Furkan [email protected]

Global config settings:

$ git config --global --list ... user.name=MyGitHubNickname [email protected] user.signingkey=MY_40_CHARACTER_SIGNING_KEY

But did not work:

$ git commit -S --amend --reset-author $ git push --force

I see MY_GPG_KEY_ID key at the bottom of this popup, exactly the same.

picture

I followed Troubleshooting commit signature verification and Using a verified email address in your GPG key guides as described in GitHub Docs, but still did not fix the problem.

Improve this question
3
  • In your GitHub user settings > "SSH and GPG keys", do you see both email addressees listed for the key in question? Commented Oct 12, 2021 at 11:06
  • 1
    I could not see both email addresses in the GPG keys, there are two same mails, but it set to my primary mail. I exported the my secondary mail's gpg public key: gpg --output public.pgp --armor --export name@mail But GitHub says: "Key already exists and Public key already exists " Commented Oct 13, 2021 at 8:12
  • this is more like an answer than a question. ;) Commented Jun 26, 2023 at 15:11

3 Answers 3

Reset to default
34

Everything you did so far is correct; you're just missing the final step which is to update GitHub's copy of your public key.

You need to regenerate your public key (gpg --armor --export KEY_ID), then, in your GitHub user settings > "SSH and GPG keys", you need to delete the original key and upload the regenerated public key.

This is what it should end up looking like. Commits signed with any of the listed addresses will now show as Verified.

GPG key with two associated email addresses

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

If you've previously uploaded this same key but with only one address, for some reason GitHub won't allow you to upload your updated key if you don't delete the original first ("Key already exists and Public key already exists").
"delete the original key" solved it for me
My problem was related to username change which changed my GitHub e-mail. But commits I made between changing the username and adding the email to the key remain on “Unverified”, right? Or is there a way to verify it retroactively?
@Andrin According to GitHub’s docs, if you change your GitHub username, your old commits that were associated with your previous GitHub-provided no-reply email address will become unverified. That said, (I haven’t tested this but) I don’t see why you can’t just add the old no-reply email to your key in addition to your current one? Maybe you can try it out and let us know.
"I don’t see why you can’t just add the old no-reply email to your key in addition to your current one" This won't work. As well as matching the commit email against the key, GitHub also requires that it's a verified email of the GitHub account before it verifies a commit. An old GitHub-provided noreply address from a past username is no longer part of the account. This explains @Andrin's observation: commits signed with the old noreply address become permanently unverified; the older ones that remain verified likely used a personal email. My previous comment still applies for normal emails.
|
10

In my case there was a discrepancy between committer and author. GitHub shows the author by default, but the committer was set to something auto-generated.

You can check with git log --format=full

Improve this answer

2 Comments

As per your git command, I have noted my commits are using some random generated email as Author and Commit. After updating my Email in Menu Git -> Options, now I am able to see verified sign for my commit, and for the first time, It didnt ask password for commit. Dont know how it happened. If any one know how commit verified without password is possible?
Same. Check current email using git config user.email and, if incorrect, set with git config user.email "[email protected]" or git config --global user.email "[email protected]".
5

As I have just discovered that you also need to be aware that if you have checked "Keep my email addresses private" in your settings and your trying to use just GPG key, that it will keep posting "unverified commit" as your email never matches. I spent days having my head done on in this, trying to figure it out, hunting forums and searches

My guess is if you use "Keep my email addresses private" you need to see what the "hidden email address" you are given is, and include it in your GPG Key "email" in your key

there is NOWHERE that mentions this! (I would have added in comments but, not enough points, but it is another answer!)

Improve this answer

1 Comment

I Didn't try the "mystery email address" in the key but i DID use git config user.email and that's how I discovered the email mismatching, as soon as I removed "Keep my email addresses private" it all suddenly worked.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.