IntelliJ IDEA and Git's "gpg failed to sign the data"

Why even bother with signing commits with GPG key? The most important reason is quite simple - it proves that you are the author of a given commit. Or to be more precise - the key that was used to sign this commit matches the key associated with your account. Github honors signing commits with this pretty lovely badge added to the commit history log.

Signing git commits make even more sense if you use tools like Keybase.io to chat and share files in a secure (encrypted) fashion.

First of all, you need to have a GPG key. Github’s help page^[1] explains in details how to generate a key, as well as how to associate it with your account. I encourage you to read it - it won’t take more than 5 minutes of your time.

Next, you need to configure your Git client to use the key. Depending on your preferences, you might want to set up GPG signing globally, or you can do it locally for a single repository. In my case, I decided to set up signing commits at the global level with the following two commands:

If you use Git from the command line, that is all you have to do. You can create the first commit and push it to Github to see "Verified" badge next to your commit history log entry.

I assume you also use your IDE’s built-in Git client. I use IntelliJ IDEA daily, and I use its Git client a lot. When I tried to create the first commit after enabling GPG signing, IDEA’s client stopped working, and it started failing with the following error:

I started googling to see what the problem is. It quickly turned out that this is not the IDEA’s problem, but rather Git and GnuPG issue. It fails to sign the commit if Git command is executed without TTY, so GPG cannot prompt to ask you for a password. I’ve quickly found a solution that suggested creating an alias that executes gpg with --batch --no-tty options. I created a script:

Then I added the following block to my .gitconfig file.

The solutions I’ve found promised that in this case IDEA will use gpg-agent that can store the password in the keyring and automatically sign the commit. Well, it didn’t work for me. At least not right away.

I use Fedora Linux, and it seemed to be a critical factor in this story. I had to went through a few more articles, and I’ve finally found the answer. When I applied the solution that uses --batch --no-tty for the first time, it didn’t take any effect. However, it turned out that gpg-agent works with GPG 2.x. When I run gpg --version I noticed the following:

It revealed that gpg in my system points to version 1.4.23. Would it mean that there is no GPG 2.x in Fedora Linux? Nope, not really. GPG 2.x is available for Fedora Linux, but as a gpg2 shell command.

When I replaced the initial script with gpg2 - it worked as expected.

I was able to create the first commit from IntelliJ IDEA. The gpg-agent prompted for the password and I was able to store it in the keyring.

I just make some experiments and it seems like using intermediate script that adds --batch --no-tty switches is no needed when you use gpg2 with gpg-agent. (At least in my case). My current setup is the following. I have changed the default gpg program to gpg2 in my ~/.gitconfig file:

Here is my gpg-agent version.

Make sure that gpg-agent daemon is running. You can start it with the following command:

When you create a first signed commit via command line or from IntelliJ IDEA (I’ve checked both cases after removing remembered password from the keyring), gpg-agent will prompt and ask you for a password that can be stored in the keyring.

If you are interested in enabling GPG signing of your Git commits, consider checking this step-by-step guide, where you can find even more information about the setup process. Happy hacking!