git_signing_key_tmp file does not get cleaned up

[florisvdg]

When signing a Git commit with an SSH key, Git creates two temp files:

• .git_signing_key_tmpXXXXXX containing the public key that should be used for signing
• .git_signing_buffer_tmpXXXXXX containing the payload that needs to be signed

After a successful ssh-keygen invocation, Git should clean up both temp files. However, only the signing buffer file gets properly deleted, but the the signing key file remains.

It's reasonable to think that the signing key file is intentionally kept and reused for consecutive integrations, but that doesn't happen either. A new signing key file is created for each git commit command and never cleaned up by Git:

Gitconfig

[gpg]
	format = ssh
[user]
	signingkey = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA<...full SSH pubkey>

Git trace

PS> git commit -S --allow-empty -m "Test"
17:29:01.633560 exec-cmd.c:266          trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
17:29:01.649157 git.c:476               trace: built-in: git commit -S --allow-empty -m Test
17:29:01.649157 run-command.c:668       trace: run_command: ssh-keygen -Y sign -n git -f 'C:\Users\<username>\AppData\Local\Temp/.git_signing_key_tmpWcbfcD' -U 'C:\Users\<username>\AppData\Local\Temp/.git_signing_buffer_tmpbNtry5'
17:29:01.649157 run-command.c:929       trace: start_command: ssh-keygen -Y sign -n git -f 'C:\Users\<username>\AppData\Local\Temp/.git_signing_key_tmpWcbfcD' -U 'C:\Users\<username>\AppData\Local\Temp/.git_signing_buffer_tmpbNtry5'
17:29:01.758616 run-command.c:668       trace: run_command: git maintenance run --auto --no-quiet --detach
17:29:01.758616 run-command.c:929       trace: start_command: git maintenance run --auto --no-quiet --detach
17:29:01.774198 exec-cmd.c:266          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
17:29:01.774198 git.c:476               trace: built-in: git maintenance run --auto --no-quiet --detach
[main e10ec57] Test

Git version

git version 2.48.1.windows.1

[dscho]

Is this behavior specific to Windows, or can you reproduce the same issue in WSL?

[Juma-creator]

// Define constants for repeated strings
#define SSH_KEYGEN_PROGRAM "ssh-keygen"
#define SSH_SIGN_COMMAND "sign"
#define SSH_VERIFY_COMMAND "verify"
#define GNUPG_SIG_CREATED "[GNUPG:] SIG_CREATED "

// Helper function to write data to a temporary file
static struct tempfile *write_to_tempfile(const char *data, size_t size, const char *suffix) {
struct tempfile *temp = mks_tempfile_t(suffix);
if (!temp) {
error_errno(("could not create temporary file"));
return NULL;
}
if (write_in_full(temp->fd, data, size) < 0 || close_tempfile_gently(temp) < 0) {
error_errno(("failed writing to temporary file '%s'"), temp->filename.buf);
delete_tempfile(&temp);
return NULL;
}
return temp;
}

// Helper function to handle SSH signing
static int handle_ssh_signing(struct signature_check *sigc, const char *signing_key, struct strbuf *buffer, struct strbuf *signature) {
struct child_process signer = CHILD_PROCESS_INIT;
struct strbuf signer_stderr = STRBUF_INIT;
struct tempfile *key_file = NULL, *buffer_file = NULL;
char *ssh_signing_key_file = NULL;
struct strbuf ssh_signature_filename = STRBUF_INIT;
int ret = -1;

key_file = write_to_tempfile(signing_key, strlen(signing_key), ".git_signing_key_tmpXXXXXX");
if (!key_file) return -1;

buffer_file = write_to_tempfile(buffer->buf, buffer->len, ".git_signing_buffer_tmpXXXXXX");
if (!buffer_file) {
    delete_tempfile(&key_file);
    return -1;
}

ssh_signing_key_file = strbuf_detach(&key_file->filename, NULL);
strvec_pushl(&signer.args, SSH_KEYGEN_PROGRAM, "-Y", SSH_SIGN_COMMAND, "-n", "git", "-f", ssh_signing_key_file, buffer_file->filename.buf, NULL);

sigchain_push(SIGPIPE, SIG_IGN);
ret = pipe_command(&signer, NULL, 0, NULL, 0, &signer_stderr, 0);
sigchain_pop(SIGPIPE);

if (ret) {
    error("%s", signer_stderr.buf);
} else {
    strbuf_addf(&ssh_signature_filename, "%s.sig", buffer_file->filename.buf);
    if (strbuf_read_file(signature, ssh_signature_filename.buf, 0) < 0) {
        ret = error_errno(_("failed reading ssh signing data buffer from '%s'"), ssh_signature_filename.buf);
    }
}

delete_tempfile(&key_file);
delete_tempfile(&buffer_file);
strbuf_release(&signer_stderr);
strbuf_release(&ssh_signature_filename);
FREE_AND_NULL(ssh_signing_key_file);

return ret;

}

// Improved sign_buffer_ssh function
static int sign_buffer_ssh(struct strbuf *buffer, struct strbuf *signature, const char *signing_key) {
if (!signing_key || signing_key[0] == '\0') {
return error(_("user.signingKey needs to be set for ssh signing"));
}
return handle_ssh_signing(NULL, signing_key, buffer, signature);
}

// Improved verify_gpg_signed_buffer function
static int verify_gpg_signed_buffer(struct signature_check *sigc, struct gpg_format *fmt, const char *signature, size_t signature_size) {
struct child_process gpg = CHILD_PROCESS_INIT;
struct tempfile *temp = write_to_tempfile(signature, signature_size, ".git_vtag_tmpXXXXXX");
int ret;
struct strbuf gpg_stdout = STRBUF_INIT;
struct strbuf gpg_stderr = STRBUF_INIT;

if (!temp) return -1;

strvec_push(&gpg.args, fmt->program);
strvec_pushv(&gpg.args, fmt->verify_args);
strvec_pushl(&gpg.args, "--status-fd=1", "--verify", temp->filename.buf, "-", NULL);

sigchain_push(SIGPIPE, SIG_IGN);
ret = pipe_command(&gpg, sigc->payload, sigc->payload_len, &gpg_stdout, 0, &gpg_stderr, 0);
sigchain_pop(SIGPIPE);

delete_tempfile(&temp);
ret |= !strstr(gpg_stdout.buf, GNUPG_SIG_CREATED);
sigc->output = strbuf_detach(&gpg_stderr, NULL);
sigc->gpg_status = strbuf_detach(&gpg_stdout, NULL);

parse_gpg_output(sigc);

strbuf_release(&gpg_stdout);
strbuf_release(&gpg_stderr);

return ret;

}

[rimrul]

Looks like there's some movement on this topic on the Git mailing list

[dscho]

Looks like there's some movement on this topic on the Git mailing list

Commit 4498127 (ssh signing: don't detach the filename strbuf from key_file tempfile, 2025-07-07)
(merged via f4fd906 (Merge branch 're/ssh-sign-buffer-fix', 2025-07-14), v2.51.0-rc0~73) is in upstream/master. This commit was mentioned last in:

What's cooking in git.git (Jul 2025, #04; Mon, 14)

---

[Graduated to 'master']

• re/ssh-sign-buffer-fix (2025-07-07) 1 commit
  (merged to 'next' on 2025-07-07 at 36dad3e)
  • ssh signing: don't detach the filename strbuf from key_file tempfile