Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » EGit / JGit » Signing not shown as verified by GitLab
Signing not shown as verified by GitLab [message #1816910] Mon, 11 November 2019 17:01 Go to next message
Gerard Krupa is currently offline Gerard KrupaFriend
Messages: 1
Registered: November 2019
Junior Member
I'm attempting to make a signed commit in GitLab CE. I've correctly set up the user account, added the GPG public key and verified the email. If I use git commit -S, the GitLab UI shows the commit as verified.

If I try making a signed commit with JGit (5.5.1.201910021850-r) GitLab will accept that the commit is signed, shows the correct key ID in the tooltip but lists the commit as unverified (with the tooltip "This commit was signed with an unverified signature"). The code (Kotlin) that I'm using to sign is:

    private fun commitMerge(
        repo: Git,
        project: Project,
        mergeRequest: MergeRequestDetails
    ) =
        repo.commit()
            .setNoVerify(false)
            .setMessage("Merge ${project.id} - ${mergeRequest.description}")
            .setSign(true)
            .setSigningKey(signingKey).apply {
                setCredentialsProvider(passphraseCredentialsProvider)
            }.call()


Is there something I'm missing or just something that BouncyCastle does differently to the git CLI?
Re: Signing not shown as verified by GitLab [message #1817132 is a reply to message #1816910] Fri, 15 November 2019 20:46 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 174
Registered: August 2016
Senior Member
Might be bug 552288. Can you try with JGit nightly, for instance 5.6.0-20191115.000833? Available at https://repo.eclipse.org/content/repositories/snapshots/org/eclipse/jgit/org.eclipse.jgit/5.6.0-SNAPSHOT/ .

Also to check: what does git log --show-signature show for the two commits? Are they using the same key? If not, check with gpg --list-keys which key is used. Could "signingKey" be ambiguous? If so, it might also be bug 550335.
Re: Signing not shown as verified by GitLab [message #1817256 is a reply to message #1816910] Tue, 19 November 2019 12:17 Go to previous message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 174
Registered: August 2016
Senior Member
It's bug 553206. The upshot is: GPG and Gitlab implement a future RFC4880 version, and Bouncy Castle doesn't yet. And Gitlab doesn't verify correctly if a signature follows the older RFC4880.

Nothing we can do until Bouncy Castle catches up.
Previous Topic:Synchronize - basic questions
Next Topic:JGit: Semantics of diff hunks versus git commandline
Goto Forum:
  


Current Time: Thu Dec 12 02:50:16 GMT 2019

Powered by FUDForum. Page generated in 0.02027 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top