Skip to content

Error: "Unusable Public Key" #191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ChristopherA opened this issue Dec 4, 2019 · 4 comments
Open

Error: "Unusable Public Key" #191

ChristopherA opened this issue Dec 4, 2019 · 4 comments

Comments

@ChristopherA
Copy link

I am using macOS Catalina and the brew version of git-crypt (there is no -v option so I am not sure which version of git-crypt, but it is the todays brew install git-crypt).

I have a repo without git-crypt (my .dotfiles) and I have just initialized it with git-crypt init and git-crypt answers Generating key...

However, when I git-crypt add-gpg-user [email protected] I get:

gpg: 0xFDFE14A54ECB30FC5D2274EFF8D36C91357405ED: skipped: Unusable public key
gpg: [stdin]: encryption failed: Unusable public key
git-crypt: GPG error: Failed to encrypt

git-crypt is finding my key (thus the fingerprint in response), but says it is "unusable".

gpg --list-keys looks good as well:

# gpg --list-keys                                  (master) [~/.dotfiles]
/Users/christophera/.gnupg/pubring.kbx
--------------------------------------
pub   rsa4096 2015-04-16 [SC] [expires: 2020-04-16]
      FDFE14A54ECB30FC5D2274EFF8D36C91357405ED
uid           [ unknown] Christopher Allen <[email protected]>
uid           [ unknown] [jpeg image of size 9272]

A few points: that GPG key is properly signed --lsign-key, and has ultimate trust "5", and I am able to use that commit to my dotfiles repo using my GPG key and it shows as verified.

So in all other ways my GPG key works. But I can't add myself as the first git-crypt user.

Ideas?
@tbenst
Copy link

tbenst commented Jan 9, 2020

Solution is here: #23 (comment)

git-crypt add-gpg-user --trusted [email protected]

@xunholy
Copy link

xunholy commented Jul 11, 2020

This solution has not worked for me, my GPG key is signed and set up correctly, and even using --trusted it still gives me the error you were facing.

@Mi-Q
Copy link

Mi-Q commented Mar 24, 2021
edited
Loading

Did you generate the key with gpg version >= 2.1.17? Then you would need to use gpg --full-generate-key to get a key with a sub. This worked for me instead of generating a key with gpg --default-new-key-algo rsa4096 --gen-key

@t3hmrman
Copy link

t3hmrman commented Nov 23, 2021
edited
Loading

Note that this is not necessarily related to whether the key you're using is trusted or not, it can often be due to the usage of subkeys that is configured. See this question on StackExchange.

If you have a key that is qualified to sign (S) but not encrypt (E) you won't be able to use git-crypt.

Here's what the output of gpg -K looks like:

$ gpg -K
/home/user/.gnupg/pubring.kbx
------------------------------
sec   rsa2048 2019-09-27 [SC] [expires: 2023-11-23]
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
uid           [ultimate] User Name <[email protected]>
ssb   rsa4096 2021-06-01 [S] [expires: 2024-11-22]

Note that the subkey (the ssb line) listed only has [S] -- this means it can be used to sign, but not encrypt. To fix this, you need to edit the key (gpg --edit-key AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA), turns out there is a key edit command called change-usage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Mi-Q @ChristopherA @tbenst @t3hmrman @xunholy