Git log showing raw GPG output as commits

Question

Git log showing raw GPG output as commits

chris-fj opened this issue 2 years ago · comments

Before proceeding...

My CLIs meet the minimum version requirements
I have read through the troubleshooting guide
If I updated fzf.fish for the first time in over 6 months, I read the migration guides to make sure I'm caught up

Describe the bug

If you happen to have GPG signed commits and your repo or global git configuration showw GPG signatures by default (setting showSignature = true on the repo or the global .gitconfig) , the signatures appear on the git log as entries that parse with errors. An example is this very repo, see the capture below:

with my global .gitconfig being like this:

[user]
        signingKey = xxxx
        name = xxx
        email = xxx
[commit]
        gpgSign = true
[core]
        editor = vim
[gpg]
        program = gpg
[log]
        showSignature = true 
[init]
        defaultBranch = master

If you force git to not show GPG signatures (by commenting showSignature = true), this of course disappears

but I see this suboptimal since it hides the signature information

Steps to reproduce

Use git log on a repo with gpg-signed commits

Environment

Versions installed:

Fish: 3.5.1
fzf.fish: 9.5
terminal: Konsole
OS: Arch Linux

Which, if any, configuration variables such as fzf_preview_file_cmd are set?
None

Additional context

None

chris-fj · Answer 1 · Wed Jan 04 2023 06:29:49 GMT+0800 (China Standard Time)

I opened #287 that adds a new flag to indicate the status of the signature, as per git log's %G? flag. The values are:

show "G" for a good (valid) signature, "B" for a bad signature, "U" for a good signature with unknown validity, "X" for a good signature that has expired, "Y" for a good signature made by an expired key, "R" for a good signature made by a revoked key, "E" if the signature cannot be checked (e.g. missing key) and "N" for no signature

For "E" (can't verify signature) it looks like this:

and for "G" (good valid signature) it looks like this:

and I can't really test the other use cases 😅

Patrick Fong · Answer 2 · Mon Jan 09 2023 03:12:02 GMT+0800 (China Standard Time)

I know this is slightly tangential to the bug, but I want to make sure I understand exactly what is happening and how GPG integrates with git before I fix the bug. When the error message says gpg: Can't check signature: No public key, is that because it found a signed commit but can't verify the signature because your gpg config doesn't have the public key used to sign that signature?

chris-fj · Answer 3 · Mon Jan 09 2023 04:02:31 GMT+0800 (China Standard Time)

it found a signed commit but can't verify the signature because your gpg config doesn't have the public key used to sign that signature

Exactly this. The user's keyring does not contain a public key paired to the private key used to generate the signature