I have trouble verifying my GPG key.
The key is self issued, no expiry date.
Currently I am signing all commits with that same key, all working OK.
When I click on “Verify”, the system provides a token and a place to paste the generated GPG signature.
The proposed method for generating the GPG signature is “echo “<token_number>” | gpg -a --default-key <key_ID> --detach-sig”, which I execute at the cmd prompt.
After entering my password for the certificate I get a “-----BEGIN PGP SIGNATURE----- xxx -----END PGP SIGNATURE-----” block in full ( xxx is a demo value, not to paste all in here ).
I copy/paste the generated signature block into the “Armored GPG signature” box, hit “Verify”.
On top of the page the following error message is stated:
The provided GPG key, signature and token do not match or token is out-of-date.
My Gitea user email address is the same as in certificate.
Is there any step I am missing?
I see nothing wrong in the steps you describe. It probably is a problem (i.e. something creating the problem that is really simple… and that neither you or me are guessing )
Same issue here, using gpg4win + Kleopatra with OpenPGP keys on windows 10. First it asks me to enter my public key, once I try to submit that it asks for a signature which I generate with the given command. Adding the generated signature and trying to submit results in: The provided GPG key, signature and token do not match or token is out-of-date.
I’m having the same problem, and this is the only open thread I found on Google for this issue. Verification works when I do it on Linux, but not Windows.
This is just a reminder to make sure you’re trying to verify the right key. I was stuck on this for like 15 minutes because I had selected the wrong key to verify.
problem (i.e. something creating the problem that is really simple… and that neither you or me are guessing 
)