GPG Keys verify fail


I have trouble verifying my GPG key.
The key is self issued, no expiry date.
Currently I am signing all commits with that same key, all working OK.
When I click on “Verify”, the system provides a token and a place to paste the generated GPG signature.
The proposed method for generating the GPG signature is “echo “<token_number>” | gpg -a --default-key <key_ID> --detach-sig”, which I execute at the cmd prompt.
After entering my password for the certificate I get a “-----BEGIN PGP SIGNATURE----- xxx -----END PGP SIGNATURE-----” block in full ( xxx is a demo value, not to paste all in here ).
I copy/paste the generated signature block into the “Armored GPG signature” box, hit “Verify”.

On top of the page the following error message is stated:

The provided GPG key, signature and token do not match or token is out-of-date.

My Gitea user email address is the same as in certificate.
Is there any step I am missing?

Gitea Version: 1.15.6
Git Version: 2.34.0


I just verified this works with 1.15.6.

I see nothing wrong in the steps you describe. It probably is a :man_facepalming: problem (i.e. something creating the problem that is really simple… and that neither you or me are guessing :wink: )

I’m getting the same issue if I sign on Windows, but not if I sign on Linux. Probably something to do with that.

Same issue here, using gpg4win + Kleopatra with OpenPGP keys on windows 10. First it asks me to enter my public key, once I try to submit that it asks for a signature which I generate with the given command. Adding the generated signature and trying to submit results in: The provided GPG key, signature and token do not match or token is out-of-date.

Same here, gpg4win + Kleopatra fails but using wsl with GPG CLI works just fine

I’m having the same problem, and this is the only open thread I found on Google for this issue. Verification works when I do it on Linux, but not Windows.

in your above cli code, make sure your <key_ID> is your full GPG key as an example below from the gpg --list-keys output.

pub rsa4096 2020-01-01 [SC]
uid John Doe
sub rsa4096 2020-01-01 [E]

in my case I had to split the above CLI pipe command into two steps on my CLI as follows as an example:

echo “<token_number>” > sample.txt
gpg -a --default-key ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234 --detach-sig sample.txt

this outputs “sample.asc” which you can cat out and paste into the gitea verify box.

trust that helps

Well hello there, future Googlers.

This is just a reminder to make sure you’re trying to verify the right key. I was stuck on this for like 15 minutes because I had selected the wrong key to verify.