On 5 October 2010 16:39, Michael J Gruber <git@xxxxxxxxxxxxxxxxxxxx> wrote: > Stephan Hugel venit, vidit, dixit 05.10.2010 17:19: >> On 5 October 2010 16:07, Michael J Gruber <git@xxxxxxxxxxxxxxxxxxxx> wrote: >>> Stephan Hugel venit, vidit, dixit 05.10.2010 15:28: >>>> On 5 October 2010 09:00, Michael J Gruber <git@xxxxxxxxxxxxxxxxxxxx> wrote: >>>>> Stephan Hugel venit, vidit, dixit 05.10.2010 02:17: >>>>>> On 5 October 2010 00:59, Daniel Johnson <computerdruid@xxxxxxxxx> wrote: >>>>>>> On Monday 04 October 2010 19:04:51 Stephan Hugel wrote: >>>>>>>> Daniel, >>>>>>>> Those are the exact steps I'm using. >>>>>>>> >>>>>>>> When I run tag -v on existing tags, I don't see the >>>>>>>> >>>>>>>> -----BEGIN PGP MESSAGE----- >>>>>>>> Version: GnuPG v1.4.9 (Darwin) >>>>>>>> >>>>>>>> iD8DBQBMqlpo8Y2TgZsQ1pARAmBQAJ9NV0IX7jlzeB8ogddlutFKAjyWJwCfSI5A >>>>>>>> yZeXw/EddYrfdad/VvOrL1o= >>>>>>>> =/0PJ >>>>>>>> -----END PGP MESSAGEââ >>>>>>>> >>>>>>>> block. It's only present on tags created using the current version. >>>>>>>> I've also just upgraded to GnuPG 1.4.10, but the result is the same. >>>>>>>> I'm not sure how else I can determine where the problem arises; I'm >>>>>>>> using the git and GnuPG versions for OS X built by homebrew, and GnuPG >>>>>>>> is happy to use the same key for en/decryption and signing. I've also >>>>>>>> verified that none of the subkeys are expired, and that the trust db >>>>>>>> is OK. >>>>>>> >>>>>>> If you have the tests available, can you try running t7004 to see if it fails >>>>>>> there too? >>>>>>> >>>>>> I rebuilt and installed from source >>>>>> Passed all 105 tests in t7004-tag.sh >>>>>> Problem remains with tags I create >>>>>> >>>>>> This would seem to imply a problem with my key, even though nothing >>>>>> else is complaining about it. >>>>> >>>>> Here's a very basic way to check: If foo is your tag, do >>>>> >>>>> git cat-file tag foo > a >>>>> git cat-file tag foo > a.sig >>>>> >>>>> From the file "a", delete the signature (everything lines between and >>>>> including "-----BEGIN/END PGP SIGNATURE-----"), invoking an editor or >>>>> your favorite sed/awk/perl magic. >>>>> >>>>> a is the data on which git invoked gpg for signing the tag. (I'm not >>>>> sure why gpg can't notice the inline sig directly but that doesn't >>>>> matter; maybe because it is none ;)) >>>>> >>>>> Now, gpg --verify a.sig should check the signature a.sig for a. Doing >>>>> that, maybe with --verbose, you may find out whether the tag object is >>>>> bogus or git misunderstands gpg's response. If your key is on a key >>>>> server you can also share the file a.sig with us so that we can check. >>>>> >>>>> Michael >>>>> >>>> Michael, >>>> When I do this, gpg is able to verify the signature. So does this mean >>>> that gnupg is failing to ignore the PGP block (possibly because it >>>> expects "SIGNATURE", not "MESSAGE"?) >>> >>> Do you have "MESSAGE" in there??? >>> >>> Can you share the output of "git verify-tag --verbose yourtag" with us? >>> In any case, this command should give the same as the edited "a" above >>> on stdout, and gpg's repsonse on stderr. It should not contain any >>> "----BEGIN/END...". >>> >>> You haven't tinkered with your gpg options lately, have you? ;) >>> >>> Michael >>> >> >> Michael, >> Yes, it's "MESSAGE". >> Here's the complete process: >> >> $ git --version >> git version 1.7.3.1 >> >> $ git tag -s test_tag >> >> [editor opens, I enter message, save, close] >> >> You need a passphrase to unlock the secret key for >> user: "Stephan Hugel <urschrei@xxxxxxxxx>" >> 1024-bit DSA key, ID 9B10D690, created 2008-09-06 >> >> [I enter passphrase] >> >> [process completes] >> >> $ git verify-tag --verbose test_tag >> object 791abd4848d86ea98071f35bbce4d4b274ef0788 >> type commit >> tag test_tag >> tagger Stephan HÃgel <urschrei@xxxxxxxxx> 1286291263 +0100 >> >> Test tag >> -----BEGIN PGP MESSAGE----- >> Version: GnuPG v1.4.10 (Darwin) >> >> iD8DBQBMqz9G8Y2TgZsQ1pARAh2bAJ0WuNWsNa+eJq3aYMlwvOFX5eRUngCfZAcM >> hnt1Aomaz5SY0yofv9BwGWg= >> =+AKs >> -----END PGP MESSAGE----- >> gpg: Signature made Tue Â5 Oct 16:07:50 2010 IST using DSA key ID 9B10D690 >> gpg: BAD signature from "Stephan Hugel <urschrei@xxxxxxxxx>" >> >> >> Now, if I manually append the tag contents to a file: >> >> $ git cat-file tag test_tag > a >> $ git cat-file tag test_tag > a.sig >> $ less a.sig >> >> object 791abd4848d86ea98071f35bbce4d4b274ef0788 >> type commit >> tag test_tag >> tagger Stephan HÃgel <urschrei@xxxxxxxxx> 1286291263 +0100 >> >> Test tag >> -----BEGIN PGP MESSAGE----- >> Version: GnuPG v1.4.10 (Darwin) >> >> iD8DBQBMqz9G8Y2TgZsQ1pARAh2bAJ0WuNWsNa+eJq3aYMlwvOFX5eRUngCfZAcM >> hnt1Aomaz5SY0yofv9BwGWg= >> =+AKs >> -----END PGP MESSAGEââ >> >> [remove PGP block (identical to the above block) from a] >> >> $ gpg --verify a.sig >> gpg: Signature made Tue Â5 Oct 16:07:50 2010 IST using DSA key ID 9B10D690 >> gpg: Good signature from "Stephan Hugel <urschrei@xxxxxxxxx>" >> >> I've also just had a look at my gnupg.conf: the only options in it are: >> default-key 9B10D690 >> charset utf8 >> keyserver hkp://keyserver.ubuntu.com >> auto-key-locate hkp://keyserver.ubuntu.com >> utf8-strings >> rfc1991 >> >> Nothing else. > > The last one is the trouble maker, and you must have added it around the > time of upgrading git... > > Now, git should be able to cope with that, of course. > > Michael > I can confirm that disabling that option in gpg.conf results in a tag using "SIGNATURE" being written, which can be subsequently verified. -- steph -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html