2

I have a Git repository owned by the root user that I can access with sudo. Normally in order to use this repo with Git, I use sudo -E git .... The -E flag is necessary so that the Git within sudo inherits my default Git configuration such as author... etc.

I decided to try GPG signing of this repository, so I enabled the options.

> sudo -E git config user.email 'EMAIL' && sudo -E git config user.signingkey 'SIGNINGKEY' && sudo -E git config commit.gpgsign true && sudo -E git config tag.gpgsign true

However upon trying to do a commit:

> sudo -E git commit --allow-empty -m 'Test commit'

error: gpg failed to sign the data
fatal: failed to write commit object

However it does not appear that gpg can sign this repository with my GPG keys that exists in my user profile.

I've discovered new information about this problem: https://github.com/NixOS/nixpkgs/issues/57779

CMCDragonkai
  • 6,222
  • 12
  • 56
  • 98
  • 2
    It sounds like (to me) you are bringing problems upon yourself due to excessive use of `sudo`. Stop using `sudo` for daily tasks and many of your problems will go away. Delete the repo and start over. If you truly need to develop as root, then just `sudo su -` and be done with it (this would be a very unusual requirement, and I would expect there are procedural problems). – jww Mar 12 '19 at 07:08
  • 3
    This is root level configuration managed by the root user, Git is just used to version control it. – CMCDragonkai Mar 12 '19 at 08:37
  • 2
    Coincidentally, I just landed here from Google with the same question. NixOS is a good example as where it is common to edit a directory as root (the root configuration directory /etc/nixos) – user196499 Mar 12 '19 at 23:18
  • 2
    @user196499 That's the reason for this question! – CMCDragonkai Mar 13 '19 at 00:28
  • I've discovered that this problem is very nuanced: https://github.com/NixOS/nixpkgs/issues/57779 It's both about using the right gpg-agent and also a tty ownership issue due to the pinentry problem. – CMCDragonkai Mar 17 '19 at 06:05

1 Answers1

0

What I did:

# Login as root.
$ sudo -i

# Set up .gitconfig and .gnupg.
% mv /root/.gitconfig /root/.gitconfig.orig
% mv /root/.gnupg /root/.gnupg.orig
% ln -s /home/$USER/.gitconfig /root/.gitconfig
% ln -s /home/$USER/.gnupg /root/.gnupg

# Ensure GPG uses given tty and ensure permissions.
% export GPG_TTY=$(tty)
% chown root $(tty)

# Simple test.
% killall gpg-agent
% echo "test" | gpg --clearsign

Ensure:

  • gpg --list-keys includes the key you want to sign with.
  • root has permissions for the given $(tty).
  • echo "test" | gpg --clearsign runs successfully.

If you also use ssh keys, a similar solution:

# Login as root.
$ sudo -i

# Set up .ssh.
# NOTE: we must copy these files for correct perms.
% mv /root/.ssh /root/.ssh.orig
% cp -r /home/$USER/.ssh /root/.ssh

# Do some remote action.
% git push
Mateen Ulhaq
  • 24,552
  • 19
  • 101
  • 135