GitHub, GPG and a missing email address
It was announced on debian-devel that
/usr/bin/gpg will be provided by GnuPG v2.1
instead of GnuPG 1.x. One new feature of
gpg2 is the ability to generate new keypair
with an empty email address. And this breaks lots of tools, including GitHub.
$ gpg2 --gen-key --expert GnuPG needs to construct a user ID to identify your key. Real name: Satish B. Setty Email address: You selected this USER-ID: "Satish B. Setty" Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
Notice that the user id is not of the form “User Name < firstname.lastname@example.org >”, which is
typical of GPG. Even though such a keypair can be
generated only with
gpg2, it is usable by both
$ curl -s https://keybase.io/rand-user/key.asc | gpg1 --import gpg: key 5492EB02: public key "Satish B. Setty" imported gpg: Total number processed: 1 gpg: imported: 1
gpg1 can import my keys and they’re usable.
Git allows you to GPG-sign your commits (and git tags) with
git commit -S. I have
this in my
[user] signingkey = 5492EB02! [gpg] program = /usr/bin/gpg2
Similarly, GitHub can verify that such commits are signed and show them in GitHub’s commit log page. Except that it doesn’t recognize them when email address is missing, it shows them as “Unverified”:
Wait, did GitHub actually the import GPG key with a missing email address ? Indeed:
I think the missing email ID is not the issue here. Git itself has no problems in recognizing the signature:
$ git verify-commit HEAD gpg: Signature made Sat Aug 6 11:38:21 2016 EEST using DSA key ID 5492EB02 gpg: Good signature from "Satish B. Setty" [ultimate]
Therefore, I expected GitHub to mark by commit as “Verified” but it didn’t. I consider this a bug in GitHub and wanted to raise a bug report… on GitHub… about GitHub… but GitHub does not have a issue tracker on GitHub for its own issues. GitHub, will you please eat your own dogfood ?
You might ask why an empty email address ? Many reasons. Spam protection. Hiding identity
on the web. Or in my case, frequently changing email addresses – I’ve had so many in the
past few years (Gmail, Hotmail, Yahoo mail, GMX, etc.), that I don’t want to tie my PGP
key to some email address(es). My fullname and a GPG key fingerprint are my identity,
email is not necessary. Obviously, there are workarounds for this. Like associating an
invalid email ID (
email@example.com) or using separate PGP key for
Anyways, the point is that
git CLI allows me to sign commits with an empty email address
but it stumps GitHub. And GitHub doesn’t have a public issue tracker to discuss this.