GPG Keys verify fail

Gitea Usages
1

Hello,

I have trouble verifying my GPG key.
The key is self issued, no expiry date.
Currently I am signing all commits with that same key, all working OK.
When I click on “Verify”, the system provides a token and a place to paste the generated GPG signature.
The proposed method for generating the GPG signature is “echo “<token_number>” | gpg -a --default-key <key_ID> --detach-sig”, which I execute at the cmd prompt.
After entering my password for the certificate I get a “-----BEGIN PGP SIGNATURE----- xxx -----END PGP SIGNATURE-----” block in full ( xxx is a demo value, not to paste all in here ).
I copy/paste the generated signature block into the “Armored GPG signature” box, hit “Verify”.

On top of the page the following error message is stated:

The provided GPG key, signature and token do not match or token is out-of-date.

My Gitea user email address is the same as in certificate.
Is there any step I am missing?

Gitea Version: 1.15.6
Git Version: 2.34.0

Regards

2

I just verified this works with 1.15.6.

image
image1165×207 27.7 KB

I see nothing wrong in the steps you describe. It probably is a :man_facepalming: problem (i.e. something creating the problem that is really simple… and that neither you or me are guessing :wink: )

3

I’m getting the same issue if I sign on Windows, but not if I sign on Linux. Probably something to do with that.

4

Same issue here, using gpg4win + Kleopatra with OpenPGP keys on windows 10. First it asks me to enter my public key, once I try to submit that it asks for a signature which I generate with the given command. Adding the generated signature and trying to submit results in: The provided GPG key, signature and token do not match or token is out-of-date.

5

Same here, gpg4win + Kleopatra fails but using wsl with GPG CLI works just fine

7

I’m having the same problem, and this is the only open thread I found on Google for this issue. Verification works when I do it on Linux, but not Windows.

8

in your above cli code, make sure your <key_ID> is your full GPG key as an example below from the gpg --list-keys output.

pub rsa4096 2020-01-01 [SC]
ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234
uid John Doe john.doe@example.com
sub rsa4096 2020-01-01 [E]

in my case I had to split the above CLI pipe command into two steps on my CLI as follows as an example:

echo “<token_number>” > sample.txt
gpg -a --default-key ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234 --detach-sig sample.txt

this outputs “sample.asc” which you can cat out and paste into the gitea verify box.

trust that helps

9

Well hello there, future Googlers.

This is just a reminder to make sure you’re trying to verify the right key. I was stuck on this for like 15 minutes because I had selected the wrong key to verify.

10

Got exactly same error and solved with Cygwin/Linux.

Output from Windows not working,
but output from Linux working.
I tried EOL conversion, didn’t help.

So I installed in Windows cygwin, then imported the windows gpg into cygwin gpg.
In my case the output from cygwin has been accepted.

Might be the recent gpg version doesn’t work? (I createed the private keys with default settings)

Versions used:
gitea 1.20.6
Windows gpg Version: gpg (GnuPG) 2.4.3 (Failed)
Cygwin gpg version: gpg (GnuPG) 1.4.23 (Works)
Linux GPG Version: gpg (GnuPG) 2.2.19 (Works)

11

Yes, running the command in Linux does works.

12

Found a better way: Copy your token, then open Kleopatra, go to the menu bar > Tools > Clipboard > OpenPGP-Sign… then you’ll get the token (message) along with the signature back in your clipboard

I think the problem might be Windows shells messing around with the data, so using the Clipboard function skips over that. I’ve also tried doing gpg sign from file (N0AGI’s way) and Kleopatra Sign/Encrypt file but didn’t work for me for some reason

1 Like
13

Thanks, this helps a lot!