Describe your question in as much detail as possible:
What are you seeing, and how does it differ from what you expect to see? I can’t get commit signing to work. Creating a gpg key locally, uploading the public key to gitlab and signing commits all works. But at the end it says that the commits have an unverified signature. Thus they are “Unverified”, not “Verified”.
Consider including screenshots, error messages, and/or other helpful visuals
What version are you on (Hint: /help) ? and are you using self-managed or gitlab.com? Latest GitLab (Gitlab Next) or the standard GitLab webinterface
What troubleshooting steps have you already taken? Can you link to any docs or other resources so we know where you have been? I replaced the key multiple times, nothing worked
Thanks for taking the time to be thorough in your request, it really helps!
I just created a repo, added my GPG public key and my signed commits show as ‘unverified’.
I saw a thread mentioning that using a different e-mail for commit signing than for commit authoring may be the issue, but my commits are authored and signed under the same e-mail address.
The signing key you will have gotten from the commands used in above link to the documentation. Also, you can stop using the -S parameter to sign commits by adding to .gitconfig the following:
[commit]
gpgsign = true
that way, every time you just issue an git commit -m "Message" it will automatically sign it. Whether you want that or not is up to you. If you have multiple GPG keys and multiple email addresses for commits/repos, then instead of adding it to the default .gitconfig file, add it to the .git/config in the repository. That way, you can control which GPG key is used for each repository/gitlab account if you have multiple accounts with different email addresses and different GPG keys.
I usually only see unverified if the wrong gpg key was used than compared to what was uploaded to the web interface or the email address doesnt match the one associated with the account. Otherwise it shows up fine in the web panel of gitlab as verified.
Yes, it only verifies the signature for every commit made after the gpg key was added to the web interface. It won’t do it for commits made prior to adding it.