英文:
Why does Git say that I bypassed the rule for "Commits must have valid signatures" even though my commit is signed by GNUPG?
问题
GitHub不支持GPG签名推送,或者你的操作中存在错误。
英文:
So today I added a rule in my team's GitHub repo that every commit must have a valid signature. I installed GPG to sign my commits, but when I push my commit to the GitHub repo, it kept on saying that I bypassed that rule. But when I added the flag --signed, the GitHub repo does not accept it. Here is the output of when I pushed without --signed:
C:\Users\Family\Parkour>git add .
C:\Users\Family\Parkour>git ci -S -m "firstcommit"
[main fefd3e6] firstcommit
6 files changed, 2 insertions(+), 856 deletions(-)
delete mode 100644 notshowingfiles
delete mode 100644 notshowingfiles
C:\Users\Family\Parkour>git push
Enumerating objects: 19, done.
Counting objects: 100% (19/19), done.
Delta compression using up to 4 threads
Compressing objects: 100% (10/10), done.
Writing objects: 100% (10/10), 1.39 KiB | 236.00 KiB/s, done.
Total 10 (delta 9), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (9/9), completed with 9 local objects.
remote: Bypassed rule violations for refs/heads/main:
remote:
remote: - Commits must have valid signatures.
remote:
To https://github.com/team/game.git
67ef523..fefd3e6 main -> main
And here is the output of when I pushed with --signed
C:\Users\Family\Parkour>git add .
warning: in the working copy of 'notshowingfiles', LF will be replaced by CRLF the next time Git touches it
C:\Users\TheUser\Parkour>git ci -S -m "secondcommit"
[main 946458c] secondcommit
9 files changed, 1695 insertions(+), 853 deletions(-)
create mode 100644 notshowingfiles
create mode 100644 notshowingfiles
C:\Users\TheUser\Parkour>git push --signed
fatal: the receiving end does not support --signed push
fatal: the remote end hung up unexpectedly
error: failed to push some refs to 'https://github.com/team/game.git'
(removed some stuff)
Does GitHub not support GPG, or I have a mistake somewhere?
答案1
得分: 3
jornrsharpe已经在评论中提到,GitHub不支持_signed push_。但是,通过该规则,您很可能启用了signed commits而不是_signed push_。
要推送_signed commits_,您只需像在第一个代码片段中那样进行正常推送。
然后,错误消息并不是说您的提交未签名,而是说签名无效。这很可能是指所谓的verified signature。
因此,为了使GitHub能够_verify_您的签名,您需要将签名密钥对的公钥添加到GitHub。您可以在他们的文档中找到关于每种变体的详细步骤,无论是GPG、SSH还是S/MIME,都有逐步描述。
由于您在标签中提到了GPG,这是一个直接链接。
基本上,这是Settings,Access,SSH and GPG keys,然后在那里添加它。
英文:
As jornrsharpe already said in a comment, a signed push is not supported by github.
But what you most probably enabled instead with that rule is to enforce signed commits. To push signed commits, you do a normal push, as you did in your first snippet.
The error message then doesn't say your commits are not signed, it says, the signature is not valid.
What this most probably refers to is a so called verified signature.
So, to enable github to verify your signature, you need to add the public key of your signing keypair to github. You can find good step-by-step descriptions in their docs for each variant, be it GPG, SSH or S/MIME.
Since you mentioned GPG in the tags, here's a direct link.
Basically it's Settings, Access, SSH and GPG keys and add it there.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论