git-crypt icon indicating copy to clipboard operation
git-crypt copied to clipboard
verified publisher icon AGWA

Error: "Unusable Public Key"

Open ChristopherA opened this issue 6 years ago • 4 comments

I am using macOS Catalina and the brew version of git-crypt (there is no -v option so I am not sure which version of git-crypt, but it is the todays brew install git-crypt).

I have a repo without git-crypt (my .dotfiles) and I have just initialized it with git-crypt init and git-crypt answers Generating key...

However, when I git-crypt add-gpg-user [email protected] I get:

gpg: 0xFDFE14A54ECB30FC5D2274EFF8D36C91357405ED: skipped: Unusable public key
gpg: [stdin]: encryption failed: Unusable public key
git-crypt: GPG error: Failed to encrypt

git-crypt is finding my key (thus the fingerprint in response), but says it is "unusable".

gpg --list-keys looks good as well:

# gpg --list-keys                                  (master) [~/.dotfiles]
/Users/christophera/.gnupg/pubring.kbx
--------------------------------------
pub   rsa4096 2015-04-16 [SC] [expires: 2020-04-16]
      FDFE14A54ECB30FC5D2274EFF8D36C91357405ED
uid           [ unknown] Christopher Allen <[email protected]>
uid           [ unknown] [jpeg image of size 9272]

A few points: that GPG key is properly signed --lsign-key, and has ultimate trust "5", and I am able to use that commit to my dotfiles repo using my GPG key and it shows as verified.

So in all other ways my GPG key works. But I can't add myself as the first git-crypt user.

Ideas?

ChristopherA avatar Dec 04 '19 22:12 ChristopherA

Solution is here: https://github.com/AGWA/git-crypt/issues/23#issuecomment-90617402

git-crypt add-gpg-user --trusted [email protected]

tbenst avatar Jan 09 '20 06:01 tbenst

This solution has not worked for me, my GPG key is signed and set up correctly, and even using --trusted it still gives me the error you were facing.

xunholy avatar Jul 11 '20 22:07 xunholy

Did you generate the key with gpg version >= 2.1.17? Then you would need to use gpg --full-generate-key to get a key with a sub. This worked for me instead of generating a key with gpg --default-new-key-algo rsa4096 --gen-key

Mi-Q avatar Mar 24 '21 14:03 Mi-Q

Note that this is not necessarily related to whether the key you're using is trusted or not, it can often be due to the usage of subkeys that is configured. See this question on StackExchange.

If you have a key that is qualified to sign (S) but not encrypt (E) you won't be able to use git-crypt.

Here's what the output of gpg -K looks like:

$ gpg -K
/home/user/.gnupg/pubring.kbx
------------------------------
sec   rsa2048 2019-09-27 [SC] [expires: 2023-11-23]
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
uid           [ultimate] User Name <[email protected]>
ssb   rsa4096 2021-06-01 [S] [expires: 2024-11-22]

Note that the subkey (the ssb line) listed only has [S] -- this means it can be used to sign, but not encrypt. To fix this, you need to edit the key (gpg --edit-key AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA), turns out there is a key edit command called change-usage.

t3hmrman avatar Nov 23 '21 05:11 t3hmrman