Comment 1 Andrew Ammerlaan 2022-08-25 19:53:27 UTC

This command can help you identify the root of the problem: GIT_TRACE=1 pkgdev commit

To me it looks like you copied the wrong id, you need the one from: gpg --list-secret-keys --keyid-format LONG
As described here: https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key

(In reply to Andrew Ammerlaan from comment #1)
> This command can help you identify the root of the problem: GIT_TRACE=1
> pkgdev commit
> 
> To me it looks like you copied the wrong id, you need the one from: gpg
> --list-secret-keys --keyid-format LONG
> As described here:
> https://docs.github.com/en/authentication/managing-commit-signature-
> verification/telling-git-about-your-signing-key

Here is the output of `GIT_TRACE=1 pkgdev commit`:

```
18:58:51.233604 git.c:458               trace: built-in: git rev-parse --show-toplevel
18:58:51.236115 git.c:458               trace: built-in: git diff-index --diff-filter=ARMD --find-renames --name-status --cached -z HEAD
18:58:51.245745 git.c:458               trace: built-in: git status --porcelain=v1 -u -z '*.ebuild'
18:58:51.843397 git.c:458               trace: built-in: git add /home/amarakon/.local/src/guru/media-gfx/blender-bin/Manifest
18:58:51.857878 git.c:458               trace: built-in: git commit -F /tmp/tmpip1go2sg --gpg-sign
18:58:51.886989 run-command.c:654       trace: run_command: gpg --status-fd=2 -bsau CCB9E48A5803353D1704C3B83F7A9180DA814844
error: gpg failed to sign the data
fatal: failed to write commit object
```

Here is the output of `gpg --list-secret-keys --keyid-format LONG`:

```
/home/amarakon/.local/share/gnupg/pubring.kbx
---------------------------------------------
sec   rsa4096/3F7A9180DA814844 2022-08-23 [C]
      CCB9E48A5803353D1704C3B83F7A9180DA814844
uid                 [ultimate] Amar Al-Zubaidi <amar.al-zubaidi45@tutanota.com>
ssb   rsa2048/E94F61DDAF7D6C04 2022-08-23 [S] [expires: 2023-08-23]
ssb   rsa2048/3BC558B466989B64 2022-08-23 [E] [expires: 2023-08-23]
```

I'm not sure which one it should be, so I also tried using the `3F7A9180DA814844` key, but I still got the same error. By the way, I cloned with `git clone -b dev https://gitweb.gentoo.org/repo/proj/guru.git` instead of `git clone -b dev git@git.gentoo.org:repo/proj/guru.git` because the latter gave me this error:

```
Cloning into 'guru'...
git@git.gentoo.org: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
```

This happened even though my access request was accepted.

Comment 3 Michał Górny 2022-08-26 06:37:22 UTC

Try running directly:

gpg  -bsau CCB9E48A5803353D1704C3B83F7A9180DA814844 <<<foo

If it works, it should output a signature.  If it doesn't, it should give "somewhat human-readable" error.

(In reply to Michał Górny from comment #3)
> Try running directly:
> 
> gpg  -bsau CCB9E48A5803353D1704C3B83F7A9180DA814844 <<<foo
> 
> If it works, it should output a signature.  If it doesn't, it should give
> "somewhat human-readable" error.

Here is the output:

```
gpg: signing failed: Operation cancelled
gpg: signing failed: Operation cancelled
```

This exact error occurred for every single key that was listed from `gpg --list-secret-keys --keyid-format LONG`, even though I followed the Gentoo Wiki's instructions on generating a GPG key. Maybe I messed up somewhere? Should I delete this key and try generating a GPG key again according to the Gentoo Wiki, but this time pay more attention to not make any mistakes in the process?

Comment 5 Sam James 2022-08-26 07:12:54 UTC

How about:
echo foo | gpg -bsau CCB9E48A5803353D1704C3B83F7A9180DA81484?

Comment 6 Andrew Ammerlaan 2022-08-26 08:23:21 UTC

Could you give us a bit more information about your system? Specifically the output off:
- eix -I app-crypt/gnupg
- eix -I app-crypt/pinentry
- eselect pinentry list
- cat ~/.gnupg/gpg.conf
- cat ~/.gnupg/gpg-agent.conf
- Are you running a graphical session, if so, which one? Please check if eselect-pinentry matches with the session you are running. (qt5 for kde, gnome3 for gnome, tty for non-graphical session)

Comment 7 Michał Górny 2022-08-26 08:51:21 UTC

I think the key is fine, and pinentry is the problem.  You're probably trying to use pinentry-tty or pinentry-curses but it can't access your pty for some reason.  My suggestion would be to try a graphical pinentry frontend instead.

(In reply to Andrew Ammerlaan from comment #6)
> Could you give us a bit more information about your system? Specifically the
> output off:
> - eix -I app-crypt/gnupg
> - eix -I app-crypt/pinentry
> - eselect pinentry list
> - cat ~/.gnupg/gpg.conf
> - cat ~/.gnupg/gpg-agent.conf
> - Are you running a graphical session, if so, which one? Please check if
> eselect-pinentry matches with the session you are running. (qt5 for kde,
> gnome3 for gnome, tty for non-graphical session)

```
$ eix -I app-crypt/gnupg
[U] app-crypt/gnupg
     Available versions:  2.2.35^t 2.2.35-r1^t (~)2.2.36^t (~)2.3.6^t{tbz2} (~)2.3.6-r1^t{tbz2} (~)2.3.7-r1^t {bzip2 doc ldap nls readline selinux +smartcard ssl test (+)tofu tools tpm usb user-socket verify-sig wks-server}
     Installed versions:  2.3.6-r1^t{tbz2}(02:48:06 AM 2022-07-09)(ssl tofu -bzip2 -doc -ldap -nls -readline -selinux -smartcard -test -tools -tpm -usb -user-socket -verify-sig -wks-server)
     Homepage:            https://gnupg.org/
     Description:         The GNU Privacy Guard, a GPL OpenPGP implementation
```

```
$ eix -I app-crypt/pinentry
[I] app-crypt/pinentry
     Available versions:  1.2.0{tbz2} (~)1.2.0-r1{tbz2} {caps efl emacs gnome-keyring gtk ncurses qt5}
     Installed versions:  1.2.0-r1{tbz2}(08:34:05 PM 2022-07-07)(-caps -efl -emacs -gnome-keyring -gtk -ncurses -qt5)
     Homepage:            https://gnupg.org/aegypten2
     Description:         Simple passphrase entry dialogs which utilize the Assuan protocol
```

```
$ eselect pinentry list
Available pinentry binary implementations:
  [1]   pinentry-tty *
```

Disclaimer: my $GPGHOME is set to ~/.local/share/gpg instead of ~/.gpg.

```
$ cat ~/.local/share/gnupg/gpg.conf
cat: /home/amarakon/.local/share/gnupg/gpg.conf: No such file or directory
```

```
$ cat ~/.local/share/gnupg/gpg-agent.conf
cat: /home/amarakon/.local/share/gnupg/gpg-agent.conf: No such file or directory
```

Here is everything inside ~/.local/share/gnupg:

```
 /home/amarakon/.local/share/gnupg/
├──  openpgp-revocs.d/
│  └──  CCB9E48A5803353D1704C3B83F7A9180DA814844.rev
├──  private-keys-v1.d/
│  ├──  03EBB0299D170E03257180C349F7FC0D3F07C883.key
│  ├──  6E91A2DA8C58D4D4F48AF33A32C676395F5D04A5.key
│  └──  A0F18EEA8AF5C2A6C4D3F4A74C1A0E8CDAADB523.key
├──  .#lk0x0000562d1a241a60.genpad.11436
├──  tofu.db
├──  trustdb.gpg
├──  pubring.kbx
└──  pubring.kbx~
```

I do not use KDE or Gnome. I am running DWM. My default pinentry in `eselect pinentry list` is `pinentry-tty` Could this issue be because I do not have some USE flags set for those packages you listed?

(In reply to Michał Górny from comment #7)
> I think the key is fine, and pinentry is the problem.  You're probably
> trying to use pinentry-tty or pinentry-curses but it can't access your pty
> for some reason.  My suggestion would be to try a graphical pinentry
> frontend instead.

Maybe it can't access my pty because I set my $GPGHOME to be ~/.local/share/gnupg instead of ~/.gpg. Could that be the issue?

Comment 10 Michał Górny 2022-08-27 06:08:30 UTC

(In reply to Amar Al-Zubaidi from comment #9)
> Maybe it can't access my pty because I set my $GPGHOME to be
> ~/.local/share/gnupg instead of ~/.gpg. Could that be the issue?

I don't think that's it.  Console versions of pinentry are very fragile to tty permissions, so you may be missing some magic that sets these or using screen/tmux/etc., or doing one of other 1000 things that break this PoS.

For a start, check your tty/pty permissions:

$ ls -l $(tty)

To confirm, you could try logging in from text console (e.g. ctrl-alt-f1) and seeing if it works on plain tty.

My suggestion would be to enable USE=gtk or USE=qt5 (or maybe USE=efl but I've never used that) on app-crypt/pinentry, and switching to a graphical entry.  It shouldn't matter which WM you use, it's just which UI you prefer (pinentry-gnome3 is GTK+3).

(In reply to Michał Górny from comment #10)
> (In reply to Amar Al-Zubaidi from comment #9)
> > Maybe it can't access my pty because I set my $GPGHOME to be
> > ~/.local/share/gnupg instead of ~/.gpg. Could that be the issue?
> 
> I don't think that's it.  Console versions of pinentry are very fragile to
> tty permissions, so you may be missing some magic that sets these or using
> screen/tmux/etc., or doing one of other 1000 things that break this PoS.
> 
> For a start, check your tty/pty permissions:
> 
> $ ls -l $(tty)
> 
> To confirm, you could try logging in from text console (e.g. ctrl-alt-f1)
> and seeing if it works on plain tty.
> 
> My suggestion would be to enable USE=gtk or USE=qt5 (or maybe USE=efl but
> I've never used that) on app-crypt/pinentry, and switching to a graphical
> entry.  It shouldn't matter which WM you use, it's just which UI you prefer
> (pinentry-gnome3 is GTK+3).

```
ls -l $(tty)
crw--w---- 1 amarakon tty 136, 0 Aug 27 09:13 /dev/pts/0
```

Are those permissions correct? If not, can I manually fix them with `chmod`? Or is it better to just enable USE=gtk?

Comment 12 Michał Górny 2022-08-27 18:10:24 UTC

I don't see anything wrong with them but I'm not an expert on this.  I'm sorry but I have no more ideas.  I think using the GUI version would be the simplest solution, or at least trying it to make sure it's this and not something else entirely.

(In reply to Amar Al-Zubaidi from comment #0)
> I followed the instructions on
> https://wiki.gentoo.org/wiki/Project:GURU/Information_for_Contributors to
> contribute to GURU. After running `pkgdev commit`, I got the following error:
> 
> ```
> error: gpg failed to sign the data
> fatal: failed to write commit object
> ```


Have you tried this? 
https://wiki.gentoo.org/wiki/GitHub_Pull_Requests#Possible_issues_with_signing