Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » EGit / JGit » Signing not shown as verified by GitLab
Signing not shown as verified by GitLab [message #1816910] Mon, 11 November 2019 17:01 Go to next message
Gerard Krupa is currently offline Gerard KrupaFriend
Messages: 1
Registered: November 2019
Junior Member
I'm attempting to make a signed commit in GitLab CE. I've correctly set up the user account, added the GPG public key and verified the email. If I use git commit -S, the GitLab UI shows the commit as verified.

If I try making a signed commit with JGit (5.5.1.201910021850-r) GitLab will accept that the commit is signed, shows the correct key ID in the tooltip but lists the commit as unverified (with the tooltip "This commit was signed with an unverified signature"). The code (Kotlin) that I'm using to sign is:

    private fun commitMerge(
        repo: Git,
        project: Project,
        mergeRequest: MergeRequestDetails
    ) =
        repo.commit()
            .setNoVerify(false)
            .setMessage("Merge ${project.id} - ${mergeRequest.description}")
            .setSign(true)
            .setSigningKey(signingKey).apply {
                setCredentialsProvider(passphraseCredentialsProvider)
            }.call()


Is there something I'm missing or just something that BouncyCastle does differently to the git CLI?
Re: Signing not shown as verified by GitLab [message #1817132 is a reply to message #1816910] Fri, 15 November 2019 20:46 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 374
Registered: August 2016
Senior Member
Might be bug 552288. Can you try with JGit nightly, for instance 5.6.0-20191115.000833? Available at https://repo.eclipse.org/content/repositories/snapshots/org/eclipse/jgit/org.eclipse.jgit/5.6.0-SNAPSHOT/ .

Also to check: what does git log --show-signature show for the two commits? Are they using the same key? If not, check with gpg --list-keys which key is used. Could "signingKey" be ambiguous? If so, it might also be bug 550335.
Re: Signing not shown as verified by GitLab [message #1817256 is a reply to message #1816910] Tue, 19 November 2019 12:17 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 374
Registered: August 2016
Senior Member
It's bug 553206. The upshot is: GPG and Gitlab implement a future RFC4880 version, and Bouncy Castle doesn't yet. And Gitlab doesn't verify correctly if a signature follows the older RFC4880.

Nothing we can do until Bouncy Castle catches up.
Re: Signing not shown as verified by GitLab [message #1828812 is a reply to message #1817256] Fri, 19 June 2020 06:51 Go to previous message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 374
Registered: August 2016
Senior Member
Gitlab versions < 12.10 had a bug that makes signature verification fail for commits with commit messages that do not end in a newline. See https://gitlab.com/gitlab-org/gitaly/-/issues/2545 and bug 564428 comment 5.
Previous Topic:Merging repositories with JGit + altering commit messages
Next Topic:EGit signing somehow not accepted by GitLab, works fine for GitHub
Goto Forum:
  


Current Time: Sun Jun 20 04:22:58 GMT 2021

Powered by FUDForum. Page generated in 0.02017 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top