Community
Participate
Working Groups
Unlike the git command line client (version 2.20.1) EGit 5.5.1 does not include the GPG fingerprint (40 digits) in the git repository, but only the KeyID (the last 16 digits of the fingerprint). One can easily verify this by signing two independent commits with the git and the EGit client and checking the output of 'git log --show-signature'. Unfortunately, GitLab seems to rely on the fingerprint to be included and therefore tags commits performed using EGit as 'Unverified' while commits performed using git are 'Verified'. I will also post the issue at GitLab, but I think EGit should mimic git's behavior here. Futhermore, using the fingerprint will lower the risk of key name clashes significantly.
I also opened a related issue on GitLab: https://gitlab.com/gitlab-org/gitlab/issues/36708
Looking briefly through the code there's nothing we could in JGit to change that; it appears to be hard-coded that way in Bouncy Castle.
From looking through RFC 4880[1] it appears that signatures include only the key id. But see [2]. Looks like Bouncy Castle needs to add support for that. GPG (and Gitlab) are actually implementing a future version of RFC4880.[3] GPG adds the "Issuer Fingerprint" sub-packet to the signature, and apparently Gitlab doesn't validate properly if a key has only the older "Issuer" sub-packet containing only the key ID. [1] https://tools.ietf.org/html/rfc4880 [2] https://github.com/bcgit/bc-java/issues/492 [3] https://gitlab.com/openpgp-wg/rfc4880bis/blob/master/draft-ietf-openpgp-rfc4880bis-08.txt#L2288
See also https://www.eclipse.org/forums/index.php/t/1101255/ .
See also https://www.eclipse.org/forums/index.php/t/1102844/ .
You may try with BC 1.65 they claim they have implemented it
Yes, looks like it would now be possible to implement this. Needs a little code change on our side, though, and thus BC 1.65 in Orbit first. If I read their code right, the PGPSignatureGenerator still doesn't include the IdentityFingerprint packet by default. We'd have to generate and add it explicitly via PGPSignatureSubpacketGenerator and PGPSignatureGenerator.setUnhashedSubpackets(). @Matthias, time to start the update process to BC 1.65?
(In reply to Thomas Wolf from comment #7) > IdentityFingerprint s/IdentityFingerprint/IssuerFingerprint/
(In reply to Thomas Wolf from comment #7) > Yes, looks like it would now be possible to implement this. Needs a little > code change on our side, though, and thus BC 1.65 in Orbit first. If I read > their code right, the PGPSignatureGenerator still doesn't include the > IdentityFingerprint packet by default. We'd have to generate and add it > explicitly via PGPSignatureSubpacketGenerator and > PGPSignatureGenerator.setUnhashedSubpackets(). > > @Matthias, time to start the update process to BC 1.65? Tony just pushed this change for Orbit, looks like we are lucky this time and can just use that https://git.eclipse.org/r/#/c/161382/
New Gerrit change created: https://git.eclipse.org/r/161960
New Gerrit change created: https://git.eclipse.org/r/161962
Gerrit change https://git.eclipse.org/r/162570 was merged to [master]. Commit: http://git.eclipse.org/c/jgit/jgit.git/commit/?id=bcf4879781c4f53b8facd96c9ec7b802c5c5086d
Gerrit change https://git.eclipse.org/r/161960 was merged to [master]. Commit: http://git.eclipse.org/c/egit/egit.git/commit/?id=8b2cfa635bdc042121699384bddcefadab2586e0
Gerrit change https://git.eclipse.org/r/161962 was merged to [master]. Commit: http://git.eclipse.org/c/jgit/jgit.git/commit/?id=4d7a16257f674b061851b5a2ee63f61b900cb6f1
problem remains unsolved, still got unverified tested with EGit: 5.8.1.20200609, 5.9.0.202006XX Gitalb: 12.8.1
(In reply to aminla lai from comment #15) > problem remains unsolved, still got unverified > > tested with > EGit: 5.8.1.20200609, 5.9.0.202006XX > Gitalb: 12.8.1 If you run git log --show-signature, does it show you the full fingerprint of the signature? As in commit 38651633466ee1578877471133819eb17a89694d gpg: Signature made Sat Jun 6 17:16:16 2020 CEST gpg: using RSA key 082D002FE303507C427A23F34459E98A0A6890FB ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Full fingerprint here
(In reply to Thomas Wolf from comment #16) > (In reply to aminla lai from comment #15) > > problem remains unsolved, still got unverified > > > > tested with > > EGit: 5.8.1.20200609, 5.9.0.202006XX > > Gitalb: 12.8.1 > > If you run git log --show-signature, does it show you the full fingerprint > of the signature? As in > > commit 38651633466ee1578877471133819eb17a89694d > gpg: Signature made Sat Jun 6 17:16:16 2020 CEST > gpg: using RSA key 082D002FE303507C427A23F34459E98A0A6890FB > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Full fingerprint here commit 49ec3feb6f1bbcd09f83a536f8e404c01425f840 gpg: Signature made 06/15/20 14:01:08 Taipei gpg: using RSA key CC8199811CB75484 gpg: Good signature from "aminla.lai <aminla.lai@ebizprise.com>" [ultimate] Author: aminla.lai <aminla.lai@ebizprise.com> Date: Mon Jun 15 14:00:53 2020 +0800
(In reply to aminla lai from comment #17) > (In reply to Thomas Wolf from comment #16) > > (In reply to aminla lai from comment #15) > > > problem remains unsolved, still got unverified > > > > > > tested with > > > EGit: 5.8.1.20200609, 5.9.0.202006XX > > > Gitalb: 12.8.1 > > > > If you run git log --show-signature, does it show you the full fingerprint > > of the signature? As in > > > > commit 38651633466ee1578877471133819eb17a89694d > > gpg: Signature made Sat Jun 6 17:16:16 2020 CEST > > gpg: using RSA key 082D002FE303507C427A23F34459E98A0A6890FB > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Full fingerprint here > > > commit 49ec3feb6f1bbcd09f83a536f8e404c01425f840 > gpg: Signature made 06/15/20 14:01:08 Taipei > gpg: using RSA key CC8199811CB75484 > gpg: Good signature from "aminla.lai <aminla.lai@ebizprise.com>" [ultimate] > Author: aminla.lai <aminla.lai@ebizprise.com> > Date: Mon Jun 15 14:00:53 2020 +0800 commited by using TortoiseGit: commit 7b44271182e37c8bb4fb8004d169bda5e45f970a gpg: Signature made 06/15/20 15:51:43 Taipei gpg: using RSA key 01F020617DDA8F7827180D83CC8199811CB75484 gpg: Good signature from "aminla.lai <aminla.lai@ebizprise.com>" [ultimate] Author: aminla.lai <aminla.lai@ebizprise.com> Date: Mon Jun 15 15:51:43 2020 +0800
Cannot reproduce. Are you sure you're indeed using EGit 5.8.0 or newer? commit a8a215fbf3aaf0a6b146ac19848e6825766d0695 (HEAD -> master) gpg: Signature made Tue Jun 16 11:37:18 2020 CEST gpg: using RSA key 082D002FE303507C427A23F34459E98A0A6890FB gpg: Good signature from "A U Thor <a.u.thor@example.org>" [ultimate] Author: A U Thor <a.u.thor@example.org> Date: Tue Jun 16 11:37:18 2020 +0200
Created attachment 283297 [details] current installation of eclipse do i need any configuration to activate "full fingerprint" feature ?
Where did you find 5.8.1 ? AFAICS this doesn't exist yet [1]. The latest release is 5.8.0 to be published fully tomorrow with Eclipse 2020-06 [1] https://git.eclipse.org/r/plugins/gitiles/egit/egit/+refs
(In reply to Matthias Sohn from comment #21) > Where did you find 5.8.1 ? > AFAICS this doesn't exist yet [1]. > The latest release is 5.8.0 to be published fully tomorrow with Eclipse > 2020-06 > > [1] https://git.eclipse.org/r/plugins/gitiles/egit/egit/+refs by using update site: https://download.eclipse.org/egit/updates-stable-nightly/ list at "https://www.eclipse.org/egit/download/" under Nightly Builds section
bingo, you are right
(In reply to aminla lai from comment #20) > do i need any configuration to activate "full fingerprint" feature ? No. In fact, including the full fingerprint of the key in the signature by means of this IssuerFingerprint packet is hard-coded into the JGit code. If it signs the commit, EGit 5.8.0 or newer will _always_ include the full fingerprint. So I'm a bit at a loss as to why it doesn't in your case. Possible causes I can imagine: 1. You do have EGit 5.8.1 installed. But is it also active? Did you re-start the Eclipse after the installation? (I suppose you did, but let's just cover all bases.) Can you show the output of opening a Host OSGi Console (in the console view) and typing "ss git" and "ss bouncy" ? 2. What GPG version are you using? I'm using 2.2.10 and 2.2.20. 3. The full fingerprint is included only in new commits made. We cannot re-sign already existing commits. (But apparently you made new commits.)
(In reply to Thomas Wolf from comment #24) > (In reply to aminla lai from comment #20) > > do i need any configuration to activate "full fingerprint" feature ? > ... 1. i did restart after upgrade egit from 5.7.0 to 5.8.1 eclipse version: 4.7.1a, build id: 20171005-1200 ss git: id State Bundle 1180 STARTING org.eclipse.egit_5.8.1.202006092153 1181 ACTIVE org.eclipse.egit.core_5.8.1.202006092153 1182 STARTING org.eclipse.egit.doc_5.8.1.202006092153 1183 ACTIVE org.eclipse.egit.gitflow_5.8.1.202006092153 1184 ACTIVE org.eclipse.egit.gitflow.ui_5.8.1.202006092153 1185 STARTING org.eclipse.egit.mylyn.ui_5.8.1.202006092153 1186 ACTIVE org.eclipse.egit.ui_5.8.1.202006092153 1187 RESOLVED org.eclipse.jgit_5.8.1.202006091944 Fragments=1195, 1189 1188 STARTING org.eclipse.jgit.archive_5.8.1.202006091957 1189 RESOLVED org.eclipse.jgit.gpg.bc_5.8.1.202006091957 Master=1187 1190 ACTIVE org.eclipse.jgit.http.apache_5.8.1.202006091957 1191 RESOLVED org.eclipse.jgit.lfs_5.8.1.202006091944 1192 RESOLVED org.eclipse.jgit.lfs.server_5.8.1.202006091957 1193 RESOLVED org.eclipse.jgit.pgm_5.8.1.202006091957 1194 ACTIVE org.eclipse.jgit.ssh.apache_5.8.1.202006091957 1195 RESOLVED org.eclipse.jgit.ssh.jsch_5.8.1.202006091957 Master=1187 1196 RESOLVED org.eclipse.jgit.ui_5.8.1.202006091957 ss bouncy: id State Bundle 1177 RESOLVED org.bouncycastle.bcpg_1.65.0.v20200527-1955 1178 RESOLVED org.bouncycastle.bcpkix_1.65.0.v20200527-1955 1179 RESOLVED org.bouncycastle.bcprov_1.65.1.v20200529-1514 2. gpg version: 2.2.19 3. i did test with new commits
(In reply to Thomas Wolf from comment #24) > ... i try install 5.8.0.202006091008-r instead, but still unverified
(In reply to aminla lai from comment #26) > i try install 5.8.0.202006091008-r instead, > but still unverified Shouldn't make a difference. Comment 25 looks all fine to me. The only thing that is a bit strange is that you have org.eclipse.jgit.archive, org.eclipse.jgit.lfs.server and org.eclipse.jgit.pgm installed, but that shouldn't matter. Eclipse 4.7.1a is Oxygen and a bit old, but that shouldn't matter either; I can generate signatures with the full fingerprint in it just fine in a Neon child Eclipse, which is still older (and being a child Eclipse, it uses the equivalent of EGit nightly, i.e. 5.9.0). I'm out of ideas. If it happened to me I'd debug this. The signature is generated in BouncyCastleGpgSigner.sign(); the IssuerFingerprint is added in line 135ff.
(In reply to Thomas Wolf from comment #27) > ... ok, thanks for your help it's not a big deal, i can use TortoiseGit instead just a little bit inconvenient. NOTE: i did try eclipse 2020-06 RC1 with egit 5.8.0, not working either
One more far-fetched idea: perhaps it has something to do with the key itself. First, let's double check that your key indeed is a "version 4" key: gpg --export 01F020617DDA8F7827180D83CC8199811CB75484 | gpg --list-packets should show the details. Does this say "version 5" anywhere? (I don't think so, since in comment 18 you showed a 40-character (20 bytes) fingerprint, and from looking at the Bouncy Castle code I think it would even fail to read a "version 5" key. Nevertheless, let's be sure.) Second, can you try with a new throw-away RSA 2048 key? Third, what RSA key length is your CC8199811CB75484 RSA key? Perhaps it's related to key size...
(In reply to Thomas Wolf from comment #29) > ... 1. :public key packet: version 4, algo 1, created 1591948529, expires 0 pkey[0]: [4096 bits] pkey[1]: [17 bits] keyid: CC8199811CB75484 2. CC8199811CB75484 RSA key length is 4096 (as gitlab docs suggested) and i also try rsa2048/06FA435E89E980EC with no luck :) so it's not related to key size sec rsa4096/CC8199811CB75484 2020-06-12 [SC] 01F020617DDA8F7827180D83CC8199811CB75484 uid [ultimate] aminla.lai <aminla.lai@ebizprise.com> ssb rsa4096/7988F1CC8B7C3514 2020-06-12 [E] sec rsa2048/06FA435E89E980EC 2020-06-17 [SC] FDAFB901141C12506F773CE406FA435E89E980EC uid [ultimate] aminla.lai <aminla.lai@ebizprise.com>
All right, so let's assume it's not key specific. Maybe we're not generating the signature completely correctly? JGit generates a signature containing: # off=0 ctb=89 tag=2 hlen=3 plen=307 :signature packet: algo 1, keyid 4459E98A0A6890FB version 4, created 1592300238, md5len 0, sigclass 0x00 digest algo 8, begin of digest 9a 45 hashed subpkt 2 len 4 (sig created 2020-06-16) hashed subpkt 33 len 21 (issuer fpr v4 082D002FE303507C427A23F34459E98A0A6890FB) subpkt 16 len 8 (issuer key ID 4459E98A0A6890FB) data: [2048 bits] Command-line git using gpg 2.2.20 on Mac generates a signature containing: # off=0 ctb=89 tag=2 hlen=3 plen=329 :signature packet: algo 1, keyid 4459E98A0A6890FB version 4, created 1592395001, md5len 0, sigclass 0x00 digest algo 10, begin of digest fc ec hashed subpkt 33 len 21 (issuer fpr v4 082D002FE303507C427A23F34459E98A0A6890FB) hashed subpkt 2 len 4 (sig created 2020-06-17) hashed subpkt 28 len 20 (signer's user ID) subpkt 16 len 8 (issuer key ID 4459E98A0A6890FB) data: [2043 bits] Notable differences: 1. JGit uses SHA256 as digest (algo 8), gpg uses SHA512 (algo 10). 2. JGit doesn't include the signer's user ID. 3. JGit has the creation time as first sub-packet, git has it as the second. None of these should cause any trouble. But let's include the signer's user ID, too. Maybe that helps.
(In reply to Thomas Wolf from comment #31) > But let's include the signer's user ID, too. Maybe that helps. Created bug 564386 for this.
(In reply to Thomas Wolf from comment #31) > ... i noticed that, even with egit 5.8.0 correctly shows full fingerprint, gitlab still not recognize it as a valid signing commit // using 4.7.1a egit 5.8.0, gitlab shows unverified gpg: using RSA key 01F020617DDA8F7827180D83CC8199811CB75484 gpg: Good signature from "aminla.lai <aminla.lai@ebizprise.com>" [ultimate] // using 4.7.1a egit 5.8.1, gitlab shows unverified gpg: using RSA key CC8199811CB75484 gpg: Good signature from "aminla.lai <aminla.lai@ebizprise.com>" [ultimate]
(In reply to aminla lai from comment #33) > (In reply to Thomas Wolf from comment #31) > > ... > > i noticed that, even with egit 5.8.0 correctly shows full fingerprint, > gitlab still not recognize it as a valid signing commit > > > // using 4.7.1a egit 5.8.0, gitlab shows unverified > gpg: using RSA key 01F020617DDA8F7827180D83CC8199811CB75484 > gpg: Good signature from "aminla.lai <aminla.lai@ebizprise.com>" [ultimate] > > // using 4.7.1a egit 5.8.1, gitlab shows unverified > gpg: using RSA key CC8199811CB75484 > gpg: Good signature from "aminla.lai <aminla.lai@ebizprise.com>" [ultimate] Now that's really strange that 5.8.1 would differ from 5.8.0. If Gitlab still doesn't recognize the signature as valid there's not much we can do. Unless... maybe there's a difference in the data signed, i.e., in the raw commit data, between JGit and command-line git. I have no idea right now how I'd go about verifying that.
(In reply to Thomas Wolf from comment #34) > ... > "Now that's really strange that 5.8.1 would differ from 5.8.0." seems BouncyCastleGpgSigner from stable-5.8 branch not been updated @see https://git.eclipse.org/c/jgit/jgit.git/tree/org.eclipse.jgit/src/org/eclipse/jgit/lib/internal/BouncyCastleGpgSigner.java?id=b3f08af88099cfc26446c8b2d242a351f1bf69d8&h=stable-5.8
(In reply to aminla lai from comment #35) > (In reply to Thomas Wolf from comment #34) > > ... > > > > "Now that's really strange that 5.8.1 would differ from 5.8.0." > > seems BouncyCastleGpgSigner from stable-5.8 branch not been updated > > @see > https://git.eclipse.org/c/jgit/jgit.git/tree/org.eclipse.jgit/src/org/ > eclipse/jgit/lib/internal/BouncyCastleGpgSigner. > java?id=b3f08af88099cfc26446c8b2d242a351f1bf69d8&h=stable-5.8 But that's an older commit (in fact, it's the parent commit of https://git.eclipse.org/r/#/c/161962/ so of course it wouldn't have the full fingerprint yet). JGit 5.8.1.202006091959 from updates-stable-nightly is based on commit 6abe695aa5, which _does_ include the code for the full fingerprint, see [1]. If I download the source jar from [2] and unzip it, the source code does include the full fingerprint code. [1] https://git.eclipse.org/c/jgit/jgit.git/tree/org.eclipse.jgit.gpg.bc/src/org/eclipse/jgit/gpg/bc/internal/BouncyCastleGpgSigner.java?h=stable-5.8&id=6abe695aa5a9a85e0bc7517c6f2d51a3f81fa41e#n136 [2] http://download.eclipse.org/egit/updates-stable-nightly/plugins/org.eclipse.jgit.gpg.bc.source_5.8.1.202006091957.jar
Gitlab versions < 12.10 had a bug that makes signature verification fail for commits with commit messages that do not end in a newline. See [1] and bug 564428 comment 5. [1] https://gitlab.com/gitlab-org/gitaly/-/issues/2545