Satish B. SettyArchiveAboutRSS Feed

GitHub, GPG and a missing email address

It was announced on debian-devel that /usr/bin/gpg will be provided by GnuPG v2.1 instead of GnuPG 1.x. One new feature of gpg2 is the ability to generate new keypair with an empty email address. And this breaks lots of tools, including GitHub.

$ gpg2 --gen-key --expert 
GnuPG needs to construct a user ID to identify your key.

Real name: Satish B. Setty
Email address: 
You selected this USER-ID:
    "Satish B. Setty"
    
    Change (N)ame, (E)mail, or (O)kay/(Q)uit? o

Notice that the user id is not of the form “User Name < user@example.org >”, which is typical of GPG. Even though such a keypair can be generated only with gpg2, it is usable by both gpg1 and gpg2:

$ curl -s https://keybase.io/rand-user/key.asc | gpg1 --import
gpg: key 5492EB02: public key "Satish B. Setty" imported
gpg: Total number processed: 1
gpg:               imported: 1

So gpg1 can import my keys and they’re usable.

Git allows you to GPG-sign your commits (and git tags) with git commit -S. I have this in my gitconfig:

[user]
  signingkey = 5492EB02!
[gpg]
  program = /usr/bin/gpg2

Similarly, GitHub can verify that such commits are signed and show them in GitHub’s commit log page. Except that it doesn’t recognize them when email address is missing, it shows them as “Unverified”:

Fig. 1 GitHub -- Unverified for empty email address
Fig. 1 GitHub – “Unverified” for empty email address

Wait, did GitHub actually the import GPG key with a missing email address ? Indeed:

Fig. 2 GPG public key import succeeded with empty email
Fig. 2 GPG public key import succeeded with empty email

I think the missing email ID is not the issue here. Git itself has no problems in recognizing the signature:

$ git verify-commit HEAD
gpg: Signature made Sat Aug  6 11:38:21 2016 EEST using DSA key ID 5492EB02
gpg: Good signature from "Satish B. Setty" [ultimate]

Therefore, I expected GitHub to mark by commit as “Verified” but it didn’t. I consider this a bug in GitHub and wanted to raise a bug report… on GitHub… about GitHub… but GitHub does not have a issue tracker on GitHub for its own issues. GitHub, will you please eat your own dogfood ?

You might ask why an empty email address ? Many reasons. Spam protection. Hiding identity on the web. Or in my case, frequently changing email addresses – I’ve had so many in the past few years (Gmail, Hotmail, Yahoo mail, GMX, etc.), that I don’t want to tie my PGP key to some email address(es). My fullname and a GPG key fingerprint are my identity, email is not necessary. Obviously, there are workarounds for this. Like associating an invalid email ID (name@users.noreply.github.com) or using separate PGP key for git-signing only.

Anyways, the point is that git CLI allows me to sign commits with an empty email address but it stumps GitHub. And GitHub doesn’t have a public issue tracker to discuss this.