I use a GPG key to sign my git commits.
An error like this one might be a sign of an expired GPG key.
error: gpg failed to sign the data fatal: failed to write commit object
- On your machine, open up the shell (git bash on Windows) and type
gpg --list-secret-keys --keyid-format LONG
- This will list out all your secret keys in the following fomat:
/home/TheSherlockHomie/.gnupg/pubring.kbx
---------------------------------
sec rsa4096/HJ6582DC8B78GTU 2020-12-09 [SC] [expires: 2025-05-01]
15JHUG1D325F458624HF7521B3F5D82DC458H
uid [ultimate] TheSherlockHomie (Key to sign git commits) <[email protected]>
ssb rsa4096/11HGTH5483DD0A 2020-12-09 [E] [expires: 2025-05-01]
- If your keys are expired, you'll se
expiredinstead of the expiration date.
- Now that you know for sure that your commit signing key has expired, let's renew the expiration date:
gpg --edit-key KEYID
// where KEYID is of the key you want to renew. Here, it is HJ6582DC8B78GTU
- Now in the intearctive gpg shell,
gpg> expire
- When prompted type
1yor however long you want the key to last for. - Now to renew all our subkeys too.
key 1
key 2 //and so on, depending on the subkeys you have
- A star will sppear before all selected keys.
gpg> expire
- Again, set the expiration time for your subkeys.
- Since the key has changed, we now need to trust it. We might get a warning
There is no assurance this key belongs to the named userotherwise.
gpg> trust
- Set the trust level
5(for ultimate) or whatever is the trust level of the key.
gpg> save
- For the gpg key you updated, export its public key:
$ gpg --armor --export KEYID
# Prints the GPG key ID, in ASCII armor format
- Copy your GPG key, beginning with
-----BEGIN PGP PUBLIC KEY BLOCK-----and ending with-----END PGP PUBLIC KEY BLOCK----- - Navigate to
Github>Settings>SSH and GPG keys - Delete the expired key.
- Add the new key that you copied.
- "Your previous commits and tags will show as verified, as long as the key meets all other verification requirements." - Github
- There is more than one way to accomplish this.
- The method I prefer is:
gpg --output backupkeys.pgp --armor --export-secret-keys --export-options export-backup [email protected]
- This will create a file
backupkeys.pgpon your present working directory. Make sure to store it safely. - If this key is important to you, you may want to print out the key on paper using paperkey, and store it in a fireproof/waterproof safe.
- Now export the trust database
gpg --export-ownertrust > ownertrust-gpg.txt
- This will create a file
ownertrust-gpg.txton your present working directory. Keep it along with your backup keys.
- You might have multiple machines where you need the key, or you might have a setup like me, where I use Ubuntu on WSL and Windows both for development.
- Transfer the keys to your machine, open a shell (or Git Bash), and type:
gpg --import backupkeys.pgp
gpg --import-ownertrust ownertrust-gpg.txt
- Now verify that you have the keys
gpg --list-secret-keys --keyid-format LONG
gpg --list-keys --keyid-format LONG
- Which should show your secret and public keys respectively.
- If you do not have the owner trust backup file, you'll need to manually set the trust level:
gpg --edit-key KEYID
gpg> trust
- And set the trust level accordingly.
-
krisleech - Renew Expired GPG key (Github Gists)(And shirohana, with the comment reminding to save your work)
-
Thomas Eisenbarth - GPG: Extract private key and import on different machine (on makandracards.com)
-
chrisroos - Instructions for exporting/importing (backup/restore) GPG keys (on Github Gists)
@TheSherlockHomie - I only wanted to let you know that this is my guide every year I renew my keys. Thank you so much for this guide π I inevitably forget how to do this and I rely on your resource every time π