On Mon, Dec 16, 2024 at 06:35:43AM -0500, Jeff King wrote: > On Fri, Dec 13, 2024 at 09:23:29PM +0100, Carlos Maiolino wrote: > Sorry the late reply Jeff... Holidays, family, the whole thing... > > the git-tag manpage states: > > > > " > > CONFIGURATION > > By default, git tag in sign-with-default mode (-s) will use your committer > > identity (of the form Your Name <your@email.address>) to find a key. If you > > want to use a different default key, you can specify it in the repository > > configuration as follows: > > > > [user] > > signingKey = <gpg-key-id> > > " > > > > > > I do have my $HOME/.gitconfig configured to always sign tags with a specific key > > per above documentation, and I just take it for granted. > > Today I had two smartcards connected, and when signing a tag, git-tag used the > > wrong key to sign the tag, instead of the specified in the .gitconfig. > > > > I believe this might be a bug or some expected behavior that doesn't match the > > manpage. Or perhaps I misinterpreted the manpage? > > No, I'd expect it to sign with the key that you configured. Two things > I'd check: > > 1. Try "git config --list --show-origin" to make sure you do not > accidentally have incorrect config somewhere overriding what you > expect. Ok, this returns the 'correct' key: $ git config --list --show-origin|grep sign file:$HOME/.gitconfig user.signingkey=0C... yet just creating a dummy tag on a dummy repo: $ git tag --verify foo object 5d3928490fc1506afa0e0cfada15819e2eac922f type commit tag foo . . . gpg: using ECDSA key A6... > > 2. Try signing with "GIT_TRACE=1" set in the environment, which will > show the gpg command we run. E.g.: > > $ GIT_TRACE=1 git -c user.signingkey=foobar tag -s -m foo bar > [...]trace: built-in: git tag -s -m foo bar > [...]trace: run_command: gpg --status-fd=2 -bsau foobar > [...]trace: start_command: /usr/bin/gpg --status-fd=2 -bsau foobar Hmm, this actually works. Doing this, the tag is signed with the key I pass on the CLI. > > If git is passing the correct "-u" option to gpg, then the bug (or > misconfiguration) may be in gpg. I particularly think git is the 'problem' here. After I tried GIT_TRACE, I decided to run it without specifying the key on the CLI as I'd normally do, and it did work normally, and I think I what happens is git defaults for another key, if the specified key is not available. As I mentioned earlier, the key configured on my .gitconfig, is inside a smartcard. I just tested creating a tag, without the smartcard connected, and git ignored the signing key I passed, using another key. I am not sure how right I am, so please correct me if I'm not, but I would expect git tag to fail, or at least give me a big warning if for any reason it could not sign the tag with the specified key. Cheers and happy new year > > -Peff
