Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Signing-only subkeys fail to import

See original GitHub issue


It appears that the action fails to accept signing-only subkeys when attempting to import the key.

Steps to reproduce this issue

  1. Generate secret subkey with only signing capability
  2. Export signing subkey to Actions Secret
  3. Configure action as documented in readme

Expected behaviour

I’d expect the key to be registered successfully such that commit and tag signing works as usual.

Since the private key needs to be stored within Actions’ Secrets, it is beneficial to limit the exposed surface area of the key. For that reason, I only want the signing subkey to be stored as the secret, not the entire master secret key. (That way revocation is straightforward, in the event the key is compromised.)

Demonstration of local commit sign with signing-subkey only:
$ export GNUPGHOME=/var/folders/g5/hjyp2_y91ggcbxmqnrxs54dh0000gn/T/tmp.bcUU6uhH
$ gpg -K
$ gpg --import sign.gpg 
gpg: key 249FB5A789A6EF28: public key "Nodenv Bot (github) <>" imported
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key 249FB5A789A6EF28: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
$ gpg -K
sec#  rsa4096 2020-09-01 [C]
uid           [ unknown] Nodenv Bot (github) <>
uid           [ unknown] Nodenv Bot <>
ssb   rsa4096 2020-09-01 [S]

$ git config nodenv-bot $ git config $ git config user.signingkey 91F91D7F54BA3485 $ git ci -S --allow-empty -m testing [bot-sign eea63992] testing $ git show --show-signature gpg: Signature made Tue Sep 1 20:10:08 2020 EDT gpg: using RSA key CEA5F06CC5C89B801954C4B291F91D7F54BA3485 gpg: Good signature from “Nodenv Bot (github)” [unknown] gpg: aka “Nodenv Bot” [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: EC4A 0589 2FB2 6032 43F5 031D 249F B5A7 89A6 EF28 Subkey fingerprint: CEA5 F06C C5C8 9B80 1954 C4B2 91F9 1D7F 54BA 3485

Actual behaviour

When the import-gpg action runs, it generates an error:

Run crazy-max/ghaction-import-gpg@v2
    git_user_signingkey: true
    git_commit_gpgsign: true
    git_tag_gpgsign: true
    git_push_gpgsign: false
    workdir: .
📣 GnuPG info
Version    : 2.2.4 (libgcrypt 1.8.1)
Libdir     : /usr/lib/x86_64-linux-gnu/gnupg
Libexecdir : /usr/lib/gnupg
Datadir    : /usr/share/gnupg
Homedir    : /home/runner/.gnupg
🔮 Checking GPG private key
##[error]Could not find valid encryption key packet in key 249fb5a789a6ef28


name: Test Signing

    runs-on: ubuntu-latest
      - uses: actions/checkout@v2
          ref: bot-sign
          fetch-depth: 0
          token: ${{ secrets.BOT_TOKEN }}

      - uses: crazy-max/ghaction-import-gpg@v2
          git_user_signingkey: true
          git_commit_gpgsign: true
          git_tag_gpgsign: true
          GPG_PRIVATE_KEY: ${{ secrets.BOT_GPG_KEY }}

      - run: git commit --allow-empty -m testing
          GIT_AUTHOR_NAME: 'nodenv bot'
          GIT_AUTHOR_EMAIL: ''
          GIT_COMMITTER_NAME: 'nodenv bot'

      - run: git push



Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:4
  • Comments:11 (2 by maintainers)

github_iconTop GitHub Comments

alekseibevzenkocommented, Oct 11, 2021

@crazy-max Hi. I have tried to use crazy-max/ghaction-import-gpg@subkey and it works. Previous version v4 was failed with ##[error]Could not find valid encryption key packet in key

jasonkarnscommented, Dec 23, 2020

I’ve confirmed that using a Sign+Encrypt subkey works as expected, so that’s at least a workaround. (It works in my particular case… however, there are other scenarios where one can not add an additional encryption subkey because it’s generally expected that there be only a single encrypting subkey.)

Regardless, there is a slight bug (minor annoyance, really) when using only a subkey: this action reports a warning during workflow cleanup that the secret key is missing. This annotation is displayed on the workflow summary, as well as in detail within the workflow log output.

gpg: key "EC4A05892FB2603243F5031D249FB5A789A6EF28" not found gpg: EC4A05892FB2603243F5031D249FB5A789A6EF28: delete key failed: Not found

My assumption is that this action is attempting to delete the secret key that was added. However, if the secret key contains only a subkey, then the deletion fails.

Read more comments on GitHub >

github_iconTop Results From Across the Web

T3728 error: sign+encrypt failed: unusable public key - GnuPG
Hi,. I have imported a key and did trusted,but while encrypting getting "sign+encrypt failed: unusable public key" error expiry date for both key...
Read more >
[HOW TO]Import your existing GPG key into a Neo from scratch
"key 1" deselects the first (encryption) subkey, then "key 2" selects the second (signing) subkey. "keytocard" is used to MOVE the signing ...
Read more >
openpgp/keys.go - crypto.git - Git at Google
and zero or more subkeys, which may be encryption keys. type Entity struct { ... This Entity appears to be signing only. ......
Read more >
yum install cannot import the gpg key: signature 9 doesn't bind ...
Consequently, *YUM* failed with the following error message: ---- signature X doesn't bind subkey to key, type is subkey revocation ---- This ...
Read more >
Creating the perfect GPG keypair - Alex Cabal
gpg --import /tmp/gpg/subkeys sudo umount /tmp/gpg rmdir /tmp/gpg. That's all! ... gpg: signing failed: general error.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found