my signing key expired, so i generated a new one, and updated ldap on the dev box. but git push is still rejecting me. last i heard, the git server keyring was manually synced, so can we get this resynced ? if it is automatic now, can we update the error message to indicate how long one has to wait before it auto-resyncs ? it would also help if the rejection message indicated *which commit* and *which key* were causing problems. $ git branch -v * master a97b5d8 [ahead 4] net-misc/suite3270: version bump to 3.4_p10 $ git config --get user.signingkey 0xC9975267 $ git log --show-signature -4 |& grep ^gpg: gpg: Signature made Sat 02 Jan 2016 12:28:13 AM EST using RSA key ID C9975267 gpg: Good signature from "Mike Frysinger (Key for signing Gentoo related stuff) <vapier@gentoo.org>" [ultimate] gpg: Signature made Sat 02 Jan 2016 12:27:56 AM EST using RSA key ID C9975267 gpg: Good signature from "Mike Frysinger (Key for signing Gentoo related stuff) <vapier@gentoo.org>" [ultimate] gpg: Signature made Sat 02 Jan 2016 12:27:23 AM EST using RSA key ID C9975267 gpg: Good signature from "Mike Frysinger (Key for signing Gentoo related stuff) <vapier@gentoo.org>" [ultimate] gpg: Signature made Sat 02 Jan 2016 12:26:49 AM EST using RSA key ID C9975267 gpg: Good signature from "Mike Frysinger (Key for signing Gentoo related stuff) <vapier@gentoo.org>" [ultimate] $ git push --signed Counting objects: 20, done. Delta compression using up to 4 threads. Compressing objects: 100% (20/20), done. Writing objects: 100% (20/20), 4.56 KiB | 0 bytes/s, done. Total 20 (delta 16), reused 0 (delta 0) remote: No signature found remote: Your push was not signed with a known key. remote: You must use git push --signed with a known key. remote: Variable GIT_PUSH_CERT_KEY='' remote: Variable GIT_PUSH_CERT_NONCE='1451713054-cdcbb439ee4b1c86ac46' remote: Variable GIT_PUSH_CERT_NONCE_SLOP='' remote: Variable GIT_PUSH_CERT_NONCE_STATUS='OK' remote: Variable GIT_PUSH_CERT_SIGNER='' remote: Variable GIT_PUSH_CERT_STATUS='N' To ssh://git@git.gentoo.org/repo/gentoo.git ! [remote rejected] master -> master (pre-receive hook declined) error: failed to push some refs to 'ssh://git@git.gentoo.org/repo/gentoo.git'
looks like it went through now. so let's go with feature requests: (1) add to the end of the rejection message something like: If you just update your key in ldap, then it can take ~15 minutes to sync. Please consult <wiki page> for more details. (2) correctly handle unknown keys. the error just says "remote: No signature found" which is clearly incorrect -- it should say something like: Signature found with unknown key 0xXXXXXXXX
(In reply to SpanKY from comment #1) > (1) add to the end of the rejection message something like: > If you just update your key in ldap, then it can take ~15 minutes to sync. > Please consult <wiki page> for more details. Messsage added. > (2) correctly handle unknown keys. the error just says "remote: No > signature found" which is clearly incorrect -- it should say something like: > Signature found with unknown key 0xXXXXXXXX The code DOES correctly handle this. Your commit was NOT signed, as evidenced by Git setting GIT_PUSH_CERT_STATUS=N I don't know why your 'git push --signed' did not sign it, but it wasn't a server-side error. Here's the entire script for you (before I changed the message). ===== #!/bin/sh # ---------------------------------------------------------------------- # standard stuff die() { echo "$@" >&2; exit 1; } warn() { echo "$@" >&2; } fail_signed_push() { warn "$@" warn "Your push was not signed with a known key." warn "You must use git push --signed with a known key." for var in \ GIT_PUSH_CERT_KEY \ GIT_PUSH_CERT_NONCE \ GIT_PUSH_CERT_NONCE_SLOP \ GIT_PUSH_CERT_NONCE_STATUS \ GIT_PUSH_CERT_SIGNER \ GIT_PUSH_CERT_STATUS \ ; do warn "Variable $var='${!var}'" done exit 1 } # ---------------------------------------------------------------------- case $GIT_PUSH_CERT_STATUS in # Good G) ;; # Bad B) fail_signed_push "Bad signature" ;; # Untrusted good U) ;; # TODO: deny this later #U) fail_signed_push "Good but untrusted signature" ;; # No signature N) fail_signed_push "No signature found" ;; # Future-proof *) fail_signed_push "Unknown GIT_PUSH_CERT_STATUS" ;; esac exit 0 ====
(In reply to Robin Johnson from comment #2) i'm pretty sure it was signed. i ran a script: while ! git push --signed ; do sleep 5m ; done it failed a few times before working. i doubt something on my side randomly started signing.