Mind Dump, Tech And Life Blog
written by Ivan Alenko
published under license CC4-BY
posted at 08. Mar '24

Howto Fix Yubikey GPG Signing Failed

I use YubiKey to sign commits and I had been seeing this error for like a year, until my patience ended and I really searched the error this time. As a workaround I signed plaintext in a console with (copy pasted) gpg --status-fd=2 -bsau 4E3FCA343AE82643 and then no PIN was asked while calling git commands.

Debug logs are turned on with GIT_TRACE=1.

Here I wanted to rebase which changes hashes of commits = a new signature is required. But the same is happening also with git commit:

$ GIT_TRACE=1 git rebase origin/master
03:40:27.852928 git.c:463               trace: built-in: git rebase origin/master
03:40:27.861349 run-command.c:659       trace: run_command: gpg --status-fd=2 -bsau 4E3FCA343AE82643
error: gpg failed to sign the data:
[GNUPG:] KEY_CONSIDERED 72607E0BE06B1C14C9FD9A234E3FCA343AE82643 2
[GNUPG:] BEGIN_SIGNING H10
[GNUPG:] PINENTRY_LAUNCHED 8991 tty 1.2.1 - xterm-256color :0 - 1000/1000 -
gpg: podpisovanie zlyhalo: Operation cancelled
[GNUPG:] FAILURE sign 83886179
gpg: signing failed: Operation cancelled

error: failed to write commit object
hint: Could not execute the todo command
hint: 
hint:     pick 5f0331d207b919c24e0630b64d4289aedfd77b28 Add integration test for mysql
hint: 
hint: It has been rescheduled; To edit the command before continuing, please
hint: edit the todo list first:
hint: 
hint:     git rebase --edit-todo
hint:     git rebase --continue

First be sure you have pinentry installed, either GUI or TUI version. GPG in true GNU way throws some really obscure and cryptic errors. Also I assume you have valid setup.

As the source of advise I used https://stackoverflow.com/questions/41052538/git-error-gpg-failed-to-sign-data.

You need to tell GPG to use pinentry even if it writes ‘PINENTRY_LAUNCHED….’

In ~/.gnupg/gpg-agent.conf add:

pinentry-program /usr/bin/pinentry-tty
allow-loopback-pinentry

In ~/.gnupg/gpg.conf add:

pinentry-mode loopback

Now it should work just fine and ask for PIN.

Add Comment