"Different user's signature" message for my own signature
Summary
I've configured SSH key signing of my own commits, but when viewing the commits on GitLab it says it's a different user's signature. If this is actually the case, and not just a bug in GitLab, then as far as I understand it would mean that my SSH key has been compromised.
Steps to reproduce
-
Create an SSH key pair in
~/.ssh -
Log into gitlab.com
-
Add the public key to https://gitlab.com/-/profile/keys
-
Add the following to
~/.gitconfig:[commit] gpgsign = true [gpg] format = ssh [gpg "ssh"] allowedSignersFile = /home/username/.ssh/allowed_signers [user] signingkey = /home/username/.ssh/id_rsa.pub -
Add the following to
~/.ssh/allowed_signers, replacing the email address and public key with your own values:username@example.org namespaces="git" [the contents of ~/.ssh/id_rsa.pub without the square brackets] -
Commit something with the
git commit -Sflag to sign the commit -
Verify that
git show --show-signaturesays 'Good "git" signature for username@example.org with RSA key SHA256:[omitted]' -
Push the commit to GitLab
Example Project
What is the current bug behavior?
The commit is marked as "Unverified" in GitLab, with a message like this one:
Different user's signature
This commit was signed with a different user's verified signature. SSH key fingerprint: [omitted]
What is the expected correct behavior?
The commit should say it's verified.
Relevant logs and/or screenshots
Other info
My "commit email" on GitLab is different from the email address which is in my actual commits..
It might be relevant that I have configured two SSH keys in GitLab.
I always type my email address in lower case, so this isn't relevant.
Output of checks
This bug happens on GitLab.com