lazygit icon indicating copy to clipboard operation
lazygit copied to clipboard
verified publisher icon jesseduffield

GPG signing breaks commit flow

Open mewejo opened this issue 4 years ago • 11 comments

Describe the bug When signing commits with a GPG key (which is unlocked, but password protected), Lazygit gets booted out to a shell and prompts pressing enter to return to Lazygit.

To Reproduce Steps to reproduce the behavior:

  1. Setup GPG signing (I have a passworded key in this example)
  2. Setup auto signing with git config --global commit.gpgsign true
  3. Make a commit via Lazygit
  4. Booted out of UI and have to press enter to return to Lazygit: https://github.com/jesseduffield/lazygit/blob/master/pkg/i18n/english.go#L823

Output when booted out:

➜  linux-scripts git:(master) ✗ lazygit 

+ bash -c git commit  -m "test: remove file"

[master 7e90dc1] test: remove file
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 test

Press enter to return to lazygit
➜  linux-scripts git:(master)

Expected behavior Make the commit. Do not close the UI, do require pressing enter. Do not pass go :-)

Desktop:

  • OS: Pop!_OS (Ubuntu)
  • Lazygit Version: 0.23.2

Additional context Maybe related to #30

mewejo avatar Jan 20 '21 17:01 mewejo

Same issue here, it would be nice if we could commit using gpg. For now it gives an error as described above

rafamadriz avatar Apr 02 '21 12:04 rafamadriz

Any news? I've got the same issue here too

fr3fou avatar Oct 13 '21 12:10 fr3fou

Sorry for the late reply on this one. My understanding was that gpg signing always required a password. Is this not the case? If so, we can add a config option for not switching to the subprocess. If gpg never asks for a password, we can stop switching to a subprocess altogether. Unfortunately I was never able to get gpg signing working properly on my mac, and I don't use it at work so I'm not across how it typically works.

jesseduffield avatar Oct 22 '21 11:10 jesseduffield

Hey @jesseduffield - for me it sometimes asks for a password, kind of like sudo. It remembers for a set period of time.

mewejo avatar Oct 22 '21 11:10 mewejo

Sorry for the late reply on this one. My understanding was that gpg signing always required a password. Is this not the case? If so, we can add a config option for not switching to the subprocess. If gpg never asks for a password, we can stop switching to a subprocess altogether. Unfortunately I was never able to get gpg signing working properly on my mac, and I don't use it at work so I'm not across how it typically works.

You can make the agent / keychain (not sure which) remember your password. It never asks me for mine

fr3fou avatar Oct 22 '21 11:10 fr3fou

My understanding was that gpg signing always required a password. Is this not the case?

It depends, as @fr3fou mentioned you can configure gpg to remember your password for a long period of time so it doesn't always ask for one. Also take into consideration that depending of user configuration, gpg might be configured to ask password in console, which if I remember correctly, messes up with lazygit because gpg tries to take over the terminal you're working on. Now if you're using the gtk/qt program it shouldn't be a problem.

rafamadriz avatar Oct 22 '21 12:10 rafamadriz

It sounds like the best approach here is to introduce a config option to override the default behaviour of switching to a subprocess if GPG signing is enabled. In that case, those who never need to provide a password never need to leave lazygit.

Unfortunately, dealing with the request for a password without switching to a subprocess is challenging. There's two ways I know of to do it:

  1. use a package like go-git (see here https://github.com/go-git/go-git/blob/db2bc57350561c4368a8d32c42476699b48d2a09/worktree_commit_test.go#L355) which I've had problems with in the past, and I'm not actually sure how it would work in this case.
  2. set the GIT_ASKPASS env var to point to the lazygit binary and have it open another lazygit application in a client-mode so that you can provide the details from the parent lazygit. This too is tricky to set up and I still have no idea whether it would be considered secure. I also suspect gpg signing doesn't actually make use of GIT_ASKPASS.

jesseduffield avatar Oct 22 '21 12:10 jesseduffield

just realised we actually already have a config key for this: git.overrideGpg

jesseduffield avatar Oct 22 '21 22:10 jesseduffield

lazygit was having issues for me when my gpg key wasn't unlocked. I've updated my alias to prime gpg-agent (I think...) and it seems to have stopped the failure condition I was running into.

alias lg='echo "foo" | gpg --sign -u [myemail] > /dev/null; lazygit'

bogosj avatar Dec 04 '21 16:12 bogosj

I subscribed here to see if there's a better solution 👋 eventually 👋 but in the meantime it looks like git.overrideGpg solves the "GPG never asks for my password, so stop dumping me to a prompt on commit" problem, at least for me. Thank you, @jesseduffield!

BrianHicks avatar Apr 08 '22 14:04 BrianHicks

There is a workaround for this. On your ~/.gnupg/gpg-agent.conf add this:

default-cache-ttl n
# Set the time a cache entry is valid to n seconds. The default is 600 seconds. Each time a cache entry is accessed, the entry’s timer is reset. To set an entry’s maximum lifetime, use max-cache-ttl. Note that a cached passphrase may not be evicted immediately from memory if no client requests a cache operation. This is due to an internal housekeeping function which is only run every few seconds.

max-cache-ttl n
# Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently or has been set using gpg-preset-passphrase. The default is 2 hours (7200 seconds).

I've set n to 28800 (8 hours), so I sign the first commit wihtout lazygit, and then I can keep using lazygit without problems.

carlosgrillet avatar Nov 27 '25 19:11 carlosgrillet