Commit Signing "unverified signature"

Replace this template with your information

Describe your question in as much detail as possible:

  • What are you seeing, and how does it differ from what you expect to see? I can’t get commit signing to work. Creating a gpg key locally, uploading the public key to gitlab and signing commits all works. But at the end it says that the commits have an unverified signature. Thus they are “Unverified”, not “Verified”.
  • Consider including screenshots, error messages, and/or other helpful visuals unverified

This is the testing repo.

  • What version are you on (Hint: /help) ? and are you using self-managed or gitlab.com? Latest GitLab (Gitlab Next) or the standard GitLab webinterface
  • What troubleshooting steps have you already taken? Can you link to any docs or other resources so we know where you have been? I replaced the key multiple times, nothing worked

Thanks for taking the time to be thorough in your request, it really helps! :blush:

bump, no solution found

Hello.

I just created a repo, added my GPG public key and my signed commits show as ‘unverified’.

I saw a thread mentioning that using a different e-mail for commit signing than for commit authoring may be the issue, but my commits are authored and signed under the same e-mail address.

Any ideas on the issue?

Did you edit your .gitconfig file? You need to specify the key in there, so:

[user]
	email = email@mydomain.com
	name = My Name
	signingkey = GPG-SIGNING-KEY

you have to follow the instructions in the documentation: Signing commits with GPG | GitLab

The signing key you will have gotten from the commands used in above link to the documentation. Also, you can stop using the -S parameter to sign commits by adding to .gitconfig the following:

[commit]
	gpgsign = true

that way, every time you just issue an git commit -m "Message" it will automatically sign it. Whether you want that or not is up to you. If you have multiple GPG keys and multiple email addresses for commits/repos, then instead of adding it to the default .gitconfig file, add it to the .git/config in the repository. That way, you can control which GPG key is used for each repository/gitlab account if you have multiple accounts with different email addresses and different GPG keys.

I had no issues signing the commit:

$ git log --show-signature -1
commit dbebbfcc06c288b3369a41f619bc07dcf8f054d9 (HEAD -> public, gitlab/public)
gpg: Signature made Tue 14 Dec 2021 04:16:29 PM CST
gpg:                using RSA key 1AFF80108E108036382620E765122AD495A7F5B2
gpg: Good signature from "Rene Vergara <rene@vergara.network>" [ultimate]
gpg:                 aka ""rene@vergara.network" <rene@vergara.network>" [ultimate]
Author: Rene Vergara <rene@vergara.network>
Date:   Tue Dec 14 16:16:08 2021 -0600

    Initial public commit

GitLab is showing this commit as signed but ‘Unverified’, even though I followed all the steps in the docs and have added my public key to GitLab.

I usually only see unverified if the wrong gpg key was used than compared to what was uploaded to the web interface or the email address doesnt match the one associated with the account. Otherwise it shows up fine in the web panel of gitlab as verified.

So you need to double check everything.

I just pushed a new commit and that one is verified, with the exact same setup.

I think that GitLab may only verify the signature when it receives the commit, and I hadn’t uploaded my GPG key yet for the first one.

Yes, it only verifies the signature for every commit made after the gpg key was added to the web interface. It won’t do it for commits made prior to adding it.

Is there a way to request or force it to reverify?

Bumping this. It’d be nice to retroactively verify commits once a known good GPG key is uploaded via the web interface.