When working with signed Git commits, you might encounter this error:
error: gpg failed to sign the data:
gpg: skipped "[EMAIL]": No secret key
[GNUPG:] INV_SGNR 9 [USER]
[GNUPG:] FAILURE sign 17
gpg: signing failed: No secret key
fatal: failed to write commit object
This error occurs when you try to create a signed Git commit (using the -S
flag) but GPG can’t find the corresponding secret key for your email address. Let’s walk through how to diagnose and fix this issue.
Checking Your GPG Keys
First, check if you have any GPG keys installed:
gpg --list-secret-keys --keyid-format=long
This command will show output similar to:
/home/user/.gnupg/pubring.kbx
-------------------------------
sec ed25519/KEYID 2024-11-06 [SC]
FULL_KEYID
uid [ultimate] User Name <email@example.com>
ssb cv25519/SUBKEY 2024-11-06 [E]
If You Have a Key
If you see output like above, you already have a GPG key. The key ID is the string after “ed25519/” in the sec
line. You’ll need to configure Git to use this key:
git config --global user.signingkey YOUR_KEY_ID
Also ensure your Git email matches the GPG key email:
git config --global user.email "your.email@example.com"
If You Don’t Have a Key
If no keys are listed, you’ll need to generate a new one:
gpg --full-generate-key
Follow the prompts to create your key. Make sure to use the same email address that you use with Git.
Additional Configuration
Sometimes, you might need to explicitly tell Git which GPG program to use:
git config --global gpg.program $(which gpg)
Testing Your Configuration
After setting everything up, try creating a signed commit:
git commit -S -m "Your commit message"
Troubleshooting Tips
If you’re still having issues:
- Verify your GPG key email matches your Git email
- Ensure your GPG key hasn’t expired
- Check if your key has signing capability (look for [S] in the key capabilities)
- Make sure you’re using the correct key ID
Alternative: Unsigned Commits
If you need to make a commit without signing (assuming your repository allows it), you can simply omit the -S
flag:
git commit -m "Your commit message"
Security Note
Signing your Git commits adds an extra layer of security by verifying that commits actually came from you. It’s especially important for open-source projects or when working in larger teams. However, make sure to keep your GPG private key secure and never share it with others.
Remember that you can also configure Git to sign all commits by default:
git config --global commit.gpgsign true
This way, you won’t need to add the -S
flag to every commit command.
Conclusion
GPG signing issues in Git are usually straightforward to fix once you understand the relationship between your GPG keys and Git configuration. The key is to ensure that Git knows which GPG key to use and that the key is properly set up with your correct email address.