Blog post S/MIME Signing Git Commits: issue with multiple secret keys
In the blog post S/MIME Signing Git Commits, the Linux instructions uses in step 4 the following command to identify the signing key:
$ export SIGNINGKEY=$( gpgsm --list-secret-keys | egrep '(key usage|ID)' | grep -B 1 digitalSignature | awk '/ID/ {print $2}' )
This will not work if the user has more then one secret key (which likely happens if you once renewed your certificate):
$ gpgsm --list-secret-keys
/home/rolf/.gnupg/pubring.kbx
-----------------------------
ID: 0xDF6DDC05
S/N: 1E6C42F5E384FC9B8197857E
Issuer: /CN=DFN-Verein Global Issuing CA/OU=DFN-PKI/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./C=DE
Subject: /CN=Rolf Krahl/O=Helmholtz-Zentrum Berlin fuer Materialien und Energie GmbH/C=DE
aka: rolf.krahl@helmholtz-berlin.de
validity: 2018-01-03 11:58:30 through 2021-01-02 11:58:30
key type: 2048 bit RSA
key usage: digitalSignature nonRepudiation keyEncipherment
ext key usage: clientAuth (suggested), emailProtection (suggested)
policies: 1.3.6.1.4.1.22177.300.1.1.4:N:,1.3.6.1.4.1.22177.300.1.1.4.3.6:N:,1.3.6.1.4.1.22177.300.2.1.4.3.6:N:
fingerprint: 5D:2B:54:8C:CA:6A:43:D6:75:79:43:C2:B8:8F:11:03:DF:6D:DC:05
ID: 0xA42FC09D
S/N: 23F068F9070FCBA36AB7527B
Issuer: /CN=DFN-Verein Global Issuing CA/OU=DFN-PKI/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./C=DE
Subject: /CN=Rolf Krahl/OU=IT-ED/O=Helmholtz-Zentrum Berlin fuer Materialien und Energie GmbH/C=DE
aka: rolf.krahl@helmholtz-berlin.de
validity: 2020-12-09 15:21:15 through 2023-12-09 15:21:15
key type: 2048 bit RSA
key usage: digitalSignature nonRepudiation keyEncipherment
ext key usage: clientAuth (suggested), emailProtection (suggested)
policies: 1.3.6.1.4.1.22177.300.1.1.4:N:,1.3.6.1.4.1.22177.300.1.1.4.8:N:,1.3.6.1.4.1.22177.300.2.1.4.8:N:
fingerprint: 67:DF:0E:47:8B:C3:F0:FB:C6:4F:A4:00:97:86:C1:87:A4:2F:C0:9D
$ SIGNINGKEY=$( gpgsm --list-secret-keys | egrep '(key usage|ID)' | grep -B 1 digitalSignature | awk '/ID/ {print $2}' )
$ echo $SIGNINGKEY
0xDF6DDC05 0xA42FC09D
Note the two hashes in the output. If you set this in user.signingkey
, signing a commit will likely use the wrong key. I'd suggest to inspect the list of keys using
$ gpgsm --list-secret-keys | less
and select the proper id manually instead.