jesseduffield
Interactive GPG trust prompt breaks Lazygit GUI
Describe the bug
When GPG’s trust model is set to tofu+pgp in ~/.gnupg/gpg.conf, simply selecting a signed commit in Lazygit triggers GPG’s interactive trust prompt (because Lazygit renders commit details with signature info) when there is an issue with the key trust. Lazygit doesn’t handle this prompt: the UI garbles, blocks input, or freezes.
When merging PRs in GitHub using the Web GUI, the web-flow GPG is associated with the commit.
The following output shows the result of git verify-commit, when no trust-model (default) is used:
$ git verify-commit 7fb923c
gpg: Signature made Mon 20 Oct 2025 09:42:31 AM CEST
gpg: using RSA key B5690EEEBB952194
gpg: Good signature from "GitHub <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9684 79A1 AFF9 27E3 7D1A 566B B569 0EEE BB95 2194
This is the example, when using GPG trust model to tofu+pgp:
$ git verify-commit 7fb923c
The email address "[email protected]" is associated with 2 keys! Please
indicate whether this email address should be associated with key
968479A1AFF927E37D1A566BB5690EEEBB952194 or whether you think someone is
impersonating "[email protected]".
This key's user IDs:
GitHub <[email protected]> (policy: auto)
Statistics for keys with the email address "[email protected]":
9684 79A1 AFF9 27E3 7D1A 566B B569 0EEE BB95 2194 (this key):
Encrypted 0 messages.
Messages verified over the past 1 day: 131.
5DE3 E050 9C47 EA3C F04A 42D3 4AEE 18F8 3AFD EB23 (expired, policy: auto):
Encrypted 0 messages.
Verified 0 messages.
Normally, an email address is associated with a single key. However,
people sometimes generate a new key if their key is too old or they think
it might be compromised. Alternatively, a new key may indicate a
man-in-the-middle attack! Before accepting this association, you should
talk to or call the person to make sure this new key is legitimate.
(G)ood, (A)ccept once, (U)nknown, (R)eject once, (B)ad?
This creates an interactive prompt which breaks the Lazygit GUI.
To Reproduce
Steps to reproduce the behavior:
- Set GPG trust model via ~/.gnupg/gpg.conf:
# ~/.gnupg/gpg.conf
trust-model tofu+pgp
- Make sure your keyring contains multiple keys for the signer email you’ll test with (common case: [email protected] has more than one key over time).
curl https://github.com/web-flow.gpg | gpg --import
- Open Lazygit in a repo that contains a commit signed by that email.
- Select the signed commit in Lazygit
- Observe: Lazygit displays a broken/partial prompt or becomes unresponsive instead of allowing a response to the GPG question.
For reference, running git verify-commit
gpg: Signature made Mon 20 Oct 2025 09:42:31 AM CEST
gpg: using RSA key B5690EEEBB952194
gpg: Good signature from "GitHub <[email protected]>" [unknown]
...
(G)ood, (A)ccept once, (U)nknown, (R)eject once, (B)ad?
Expected behavior
Lazygit should avoid blocking on GPG’s interactive prompt when rendering commit details. Ideally it should:
- Detect the interactive state and show a clear, non-interactive message (e.g. “GPG requires a trust decision; run verification in a terminal”), or
- Render the prompt cleanly and accept user input without freezing.
Screenshots
Version info:
$ lazygit --version
commit=v0.55.1, build date=2025-09-17T18:57:13Z, build source=binaryRelease, version=0.55.1, os=linux, arch=amd64, git version=2.51.1.dirty
$ git --version
git version 2.51.1.dirty
Additional context
The issue does not occur if the trust model is left at default (no tofu) or set to pgp/always.
The issue does not occur when setting gpg.trust-model via Git config alone; it specifically reproduces when GPG itself enforces tofu+pgp in gpg.conf.
[!NOTE] Please try updating to the latest version or manually building the latest
masterto see if the issue still occurs.
