New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signed commit failure #12
Comments
Earlier report at Eclipse bugzilla 581545. We still use Bouncy Castle to verify the result of the external GPG, and apparently the JGit Bouncy Castle verifier cannot find the public key. |
The issue might be caused by different GPG installations using different directories being present. Gpg4Win uses %APPDATA%\gnupg, but AFAIK git-for-windows also bundles a GPG, which might be using something else (probably .gnupg in the user's home directory). We use %APPDATA%\gnupg if it exists, otherwise .gnupg in the home directory. Probably we should use both if both exist. |
@almi33 : could you please install EGit nightly and try again? It won't have fixed the problem, but it should give a slightly more informative error message. To install EGit nightly, go in Eclipse to "Help->Install New Software..." and use the p2 repository URL https://download.eclipse.org/egit/updates-nightly . If the error messages indicates "no public key found", figure out which directory is used by gpg for storing and finding its keys. Then try launching Eclipse with environment variable GNUPGHOME set to that directory. If it then works we know at least that the problem is indeed that EGit/JGit is looking in the wrong directory for the public key. |
I am using Gpg4Win. It is the only gpg in the path. Yes I do have Git installed also with gpg bundled, but bundled gpg is not in the path and when I used Git for signed commit I have explicitly pointed to gpg from Gpg4Win using gpg.program key in configuration file. Nightly build shows "no public key found". Attempt to perform signed commit with GNUPGHOME=C:\Users\some_user\AppData\Local\gnupg has failed with message External program failed (2: gpg: keybox 'C:\Users\some_user\AppData\Local\gnupg\pubring.kbx' created and stack trace java.io.IOException: External program failed (2: gpg: keybox 'C:\Users\some_user\AppData\Local\gnupg\pubring.kbx' created Also after that a lot of odd files have appeared in C:\Users\some_user\AppData\Local\gnupg. |
Doesn't look like that was the case, judging from the exceptions you got when you tried to use that directory. Without that setting, you got further: gpg.exe did produce a signature, just when EGit tried to verify that signature, it could not find the key.
The latest Gpg4Win documentation still claims %APPDATA%\gnupg was the default directory: https://www.gpg4win.org/doc/en/gpg4win-compendium_28.html
So at least we know now for sure that the problem is that somehow JGit cannot find the public key. I have no Windows 11. I might be able to try in a WIndows 10 VM. What Gpg4Win version do you use? Perhaps some way of storing keys has changed, and JGit should try a new way to find them. In particular, I see in the change log that Gpg4Win 4.2.0 now apparently uses an sqlite database to store public keys. That of course is not handled at all by JGit. If that's the root cause of the problem, then JGit has a fundamental problem, and all this signing or verifying signatures with Bouncy Castle won't work anymore at all with Gpg4Win. (Unless we'd include the 12MB sqlite-jdbc driver and read that database from Java. I don't want to go there... it'd be very dependent on the database schema.) For EGit, we might also use the external gpg for verifying signatures, and perhaps not verify the created signature at all (except checking that it starts with the expected "-----BEGIN PGP SIGNATURE-----" line). |
My bad, haven't noticed this folder. So, I have run Eclipse again with GNUPGHOME=%APPDATA%\gnupg. This time it failed similar to the original one with log: !ENTRY org.eclipse.egit.ui 4 0 2024-01-14 18:46:19.839 iQIzBAABCAAdFiEEoUJ6eiHyVFqsGb+xZhxIif4w89EFAmWkHeQACgkQZhxIif4w
Here is the output from "gpg --version": Home: C:\Users\some_user\AppData\Roaming\gnupg |
What files are inside %APPDATA%\gnupg? In particular, is there a If there are any |
Here is what DIR shows:
File pubring.db is located in public-keys.d folder. File pubring.kbx is missing.
File common.conf contains 'use-keyboxd' line. It is the only line in the file. |
Thank you! So there we have it: this Gpg4Win installation uses the new sqlite database to store the public keys. JGit doesn't know about that way of storing public keys, so it cannot find the public key for verifying the signature. EGit will need to use the external GPG executable also for verifying signatures. JGit will need at least a caveat in some documentation (perhaps in the readme of org.eclipse.jgit.gpg.bc) that the Bouncy Castle GPG signing does not work if GPG uses the keybox daemon. |
Hi @tomaswolf, I face the same issue with gpg set to be used: So this is already the external program, which is running well, when using the command from the stacktrace itself.
|
As I wrote before: EGit verifies that the result of calling the external GPG is a valid signature. It uses Bouncy Castle to verify the signature, and that code cannot find the public key because when GPG uses the |
Gerrit change 1176329 should fix this. |
Great. When to expect fix at any update site? |
If all goes well with the EGit 6.9 release on 2024-03-13. EGit nightly may have it earlier. But there are two JGit changes that need to go in first. |
Gerrit change 1176329 is merged. |
Version
6.8.0.202311291450-r
Operating System
Windows
Eclipse version
2023-12 (4.30.0)
Bug description
Failing to perform signed commit using external gpg. See log in "Relevant log output" section.
Actual behavior
Failed to perform signed commit
Expected behavior
Expected to succeed.
Command line git performs signed commit using the same external gpg, user name and mail successfully
Relevant log output
Other information
No response
The text was updated successfully, but these errors were encountered: