Skip to content

GPG-signed commits show as unverified with no clear explanation why

Summary

Consider this commit. The GitLab UI shows the commit as unverified, claiming that it is “signed with an unverified signature”. It states that it is signed with key 211CEB0BE447577B, which is correct. That is the ID of a subkey of my primary key, A3C12D350D05EE04. Running git show --show-signature on the command line shows that the signature is valid. The subkey has not expired, nor has the primary key (the subkey will expire in March of this year, while the primary key expires March of next year). The primary key ID and subkey ID both appear on https://gitlab.com/-/profile/gpg_keys. The author and committer e-mail addresses are both chead@chead.ca. This e-mail address appears on https://gitlab.com/-/profile/gpg_keys for the key and has a green “verified” marker beside it.

Steps to reproduce

Since the message doesn’t say what it doesn’t like about the key, I don’t know what it is GitLab dislikes about the key and/or commit. Some things which might or might not be relevant:

  • I have many subkeys.
  • I am using an Ed25519 signing subkey.
  • I have multiple e-mail addresses on the key. Some of the other ones are unverified, and one of them is revoked, but the one in the author and committer field of the commit is verified.
  • I create a new set of subkeys each year. Because it is not possible to re-add a primary key that already exists, in order to do this, I have to delete the existing key and then re-add the “same” key (albeit augmented with more subkeys). I used the “delete” button, not the “revoke” button, because that looked like it ought to leave the signature status of existing commits intact.

In any case, you have the commit object and you have my key, so regardless of whether you can create a new key and commit that reproduces the problem, you hopefully have the data you need, since a fix ideally ought to make this particular commit display as verified in future.

Example Project

This commit displays the problem.

What is the current bug behavior?

The commit is shown as “unverified” with the message “This commit was signed with an unverified signature.”

What is the expected correct behavior?

The commit should be shown as verified.

Output of checks

This bug happens on GitLab.com

Edited by 🤖 GitLab Bot 🤖