Like many git user, I understood the interest of commit signature verification and tried to use it. The (documentation)[https://docs.github.com/en/github/authenticating-to-github/managing-commit-signature-verification] explain well how to do it. But it's seem like some people can use them right away after following the doc's explanation, while while others might have struggles at some point.
This was my case, and this is why I didn't use this fonctionality whereas I know it's here since years. And I tried to configure my PC more than one time, but I always got this error, and couldn't move forward:
error: gpg failed to sign the data
fatal: failed to write commit object
I saw so many partial response here and there but nothing worked for me.
$ GIT_TRACE=1 git commit -S -a -m "beta"
20:42:51.963513 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
20:42:51.967785 git.c:447 trace: built-in: git commit -S -a -m beta
20:42:51.972785 run-command.c:667 trace: run_command: smimesign -bsau 0123456789ABCDEF
could not find identity matching specified user-id: 0123456789ABCDEF
error: gpg failed to sign the data
fatal: failed to write commit object
Here we can see that git is trying to use smimesign, which can't find gpg keys. By runnig git config --list --show-origin I got this output :
file:C:/Program Files/Git/etc/gitconfig diff.astextplain.textconv=astextplain
file:C:/Program Files/Git/etc/gitconfig filter.lfs.clean=git-lfs clean -- %f
file:C:/Program Files/Git/etc/gitconfig filter.lfs.smudge=git-lfs smudge -- %f
file:C:/Program Files/Git/etc/gitconfig filter.lfs.process=git-lfs filter-process
file:C:/Program Files/Git/etc/gitconfig filter.lfs.required=true
file:C:/Program Files/Git/etc/gitconfig http.sslbackend=openssl
file:C:/Program Files/Git/etc/gitconfig http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
file:C:/Program Files/Git/etc/gitconfig core.autocrlf=true
file:C:/Program Files/Git/etc/gitconfig core.fscache=true
file:C:/Program Files/Git/etc/gitconfig core.symlinks=true
file:C:/Program Files/Git/etc/gitconfig pull.rebase=false
file:C:/Program Files/Git/etc/gitconfig credential.helper=manager-core
file:C:/Program Files/Git/etc/gitconfig credential.https://dev.azure.com.usehttppath=true
file:C:/Program Files/Git/etc/gitconfig init.defaultbranch=master
file:C:/Users/Karobwe/.gitconfig core.editor="C:\Users\Karobwe\AppData\Local\Programs\Microsoft VS Code\Code.exe" --wait
file:C:/Users/Karobwe/.gitconfig core.longpaths=true
file:C:/Users/Karobwe/.gitconfig user.email=john.doe@example.com
file:C:/Users/Karobwe/.gitconfig user.name=John Doe
file:C:/Users/Karobwe/.gitconfig gui.recentrepo=C:/laragon/www/wp
file:.git/config core.repositoryformatversion=0
file:.git/config core.filemode=false
file:.git/config core.bare=false
file:.git/config core.logallrefupdates=true
file:.git/config core.symlinks=false
file:.git/config core.ignorecase=true
file:.git/config remote.origin.url=https://github.com/Karobwe/verified-commit-signatures.git
file:.git/config remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
file:.git/config branch.main.remote=origin
file:.git/config branch.main.merge=refs/heads/main
file:.git/config commit.gpgsign=true
file:.git/config user.signingkey=0123456789ABCDEF
file:.git/config gpg.x509.program=smimesign
file:.git/config gpg.format=x509
file:.git/config gpg.program=gpgsm
(--show-scope flag might be helpull here)
Here we can see that I setted gpg to use smimedign, but even by unsetting it with
git config --local --unset gpg.x509.program
git config --local --unset gpg.program
I still couldn't use verified commit. To solve this I had to tell git to use gpg :
git config --local gpg.x509.program gpg
git config --local gpg.program gpg