I'm trying to setup git signatures for my commits and I'm facing an error that I'm not being able to figure out why.
I have just created my keys and when I list I get them correctly:
gpg --list-keys I
[keyboxd]
---------
pub rsa4096 2025-02-03 [SC]
7D8396F74725A208D835CE3730E62A1E4F078650
uid [ultimate] My UID
uid [ultimate] Another UID of mine
sub ed25519 2025-02-03 [SA]
sub cv25519 2025-02-03 [E]
I have set my signing key on git config to 7D8396F74725A208D835CE3730E62A1E4F078650.
When I verify the error I get this:
gpg: Signature made Mon Feb 3 11:03:42 2025 CET
gpg: using EDDSA key 937E44BCBE1C5E3D72342DC7574887BEAA13F10D
gpg: BAD signature from "My UID" [ultimate]
It is using one of the subkeys from the one I set on gitconfig. The one it is using is the one with the SA (sign and authenticate) capabilities.
Weirdly enough if I sign a tag it works as expected.
I've tried GIT_TRACE=1 before committing and there's no error logged
11:03:42.918144 git.c:476 trace: built-in: git commit -S -m 'updating snippets keymaps'
11:03:42.920775 run-command.c:667 trace: run_command: gpg --status-fd=2 -bsau 7D8396F74725A208D835CE3730E62A1E4F078650
11:03:42.920832 run-command.c:759 trace: start_command: /opt/homebrew/bin/gpg --status-fd=2 -bsau 7D8396F74725A208D835CE3730E62A1E4F078650
11:03:43.061793 run-command.c:667 trace: run_command: git maintenance run --auto --no-quiet --detach
11:03:43.061829 run-command.c:759 trace: start_command: /opt/homebrew/opt/git/libexec/git-core/git maintenance run --auto --no-quiet --detach
11:03:43.066907 git.c:476 trace: built-in: git maintenance run --auto --no-quiet --detach
When verifying the commit with verify-commit on the other hand:
11:31:55.248032 git.c:476 trace: built-in: git verify-commit 6c6a4fdc1daf54c5127aeeb003756b7951ef649a
11:31:55.254868 run-command.c:667 trace: run_command: gpg --keyid-format=long --status-fd=1 --verify /var/folders/fh/vxw12js51vs0pp3fqtln7vww0000gn/T//.git_vtag_tmpLhkDf3 -
11:31:55.254970 run-command.c:759 trace: start_command: /opt/homebrew/bin/gpg --keyid-format=long --status-fd=1 --verify /var/folders/fh/vxw12js51vs0pp3fqtln7vww0000gn/T//.git_vtag_tmpLhkDf3 -
gpg: Signature made Mon Feb 3 11:03:42 2025 CET
gpg: using EDDSA key 937E44BCBE1C5E3D72342DC7574887BEAA13F10D
gpg: BAD signature from "My UID" [ultimate]
I'm on MacOS M4 15.2 GPG Version (installed from gnupg package on brew):
gpg --version I
gpg (GnuPG) 2.4.7
libgcrypt 1.11.0
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /Users/augusto/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Note: I've also tried signing some text files directly with gpg and verifying later and it worked fine.
Any ideas on what I'm doing wrong?
I have found out that if I removed the signing type from the authentication sub key (which was enabled for authentication and signing) it starts to work... I have no idea why git/gpg choses to use the sub key instead of the master key and why using the sub key doesn't work.