I am trying to sign git commits with a X.509 certificate I got from DFN (Deutsches Forschungs Netz). I can sign emails/odt/docx/pdf just fine and can also sign git commits with my personal GPG key.
I have imported my key into gpgsm
and it appears under
$ gpgsm --list-secret-keys
I have setup git with
[user]
signingkey = ...
[commit]
gpgsign = true
[gpg]
format = x509
Git commit fails with
$ git commit -S -m "test"
error: gpg failed to sign the data
fatal: failed to write commit object
$ GIT_TRACE=1 git commit -S -m "test"
10:29:29.906544 git.c:459 trace: built-in: git commit -S -m test
10:29:29.907024 run-command.c:654 trace: run_command: gpgsm --status-fd=2 -bsau 0xXXXXXXXX
error: gpg failed to sign the data
fatal: failed to write commit object
digging a bit deeper I get the following:
$ gpgsm --status-fd=2 -bsau 0xXXXXXXXXXXX
gpgsm: Note: non-critical certificate policy not allowed
[GNUPG:] PROGRESS tick ? 0 0
....
gpgsm: no CRL found for certificate
gpgsm: Note: non-critical certificate policy not allowed
gpgsm cannot find the revocation list. Is this expected or a configuration error?
UPDATE: Not sure if this is important information, but when importing the certificate into gpgsm
, I ran into [1] and solved it by re-exporting the certificate from Thunderbird.
[1] https://superuser.com/questions/1725832/gpgsm-cannot-import-private-key