Resolving GPG Email Mismatch Issues
Why This Happens
GPG Key Email Mismatch
- Each GPG key is associated with one or more email addresses. If the email address in the commit doesn't match the email addresses linked to the GPG key, verification fails.
Different Emails for Personal and Work Accounts
- Using different emails for personal and work-related commits can lead to mismatches if the GPG key is not configured with the correct email.
Vigilant Mode in GitHub
- GitHub's "vigilant mode" requires all commits to be signed with a GPG key that matches the committer's email, enhancing security.
How to Resolve the Issue
Option 1: Add the Organizational Email to Your GPG Key
-
Edit the GPG Key:
gpg --edit-key <your-key-id> -
Add a New Email:
adduidFollow the prompts to add your organizational email.
-
Save the Changes:
save quit -
Update GitHub with the Updated GPG Key: Export the updated key:
gpg --armor --export <your-key-id>Add the key to GitHub under GPG Keys settings (opens in a new tab).
Option 2: Use a Separate GPG Key for Organizational Work
-
Generate a New GPG Key:
gpg --full-generate-keyUse your work email during the setup process.
-
List GPG Keys to Obtain the Key ID:
gpg --list-secret-keys --keyid-format LONG -
Configure Git to Use the New Key: Set the
user.signingkeyin your work repo:git config user.email "your-work-email@example.com" git config user.signingkey <new-work-key-id> -
Add the New GPG Key to GitHub: Export the new key and add it to GitHub:
gpg --armor --export <new-work-key-id>
Option 3: Manually Configure the Committer Email
Ensure that the email used in your commits matches the one linked with your GPG key. You can set this in your repository:
git config user.email "matching-email@example.com"Why It's Important
- Security: Ensuring the email addresses match is critical for maintaining the integrity of your commits.
- Vigilant Mode: This mode enforces strict identity verification, protecting your codebase's security.
Last updated on 8 August 2024