- Package:
- git-debpush
- Source:
- git-debpush
- Submitter:
- Andrej Shadura
- Date:
- 2026-06-11 09:57:01 UTC
- Severity:
- normal
- Tags:
Hi, I use multiple email addresses when committing, and often commit using my non-Debian email address. When I run git-debpush, this will result in the tag being signed by a key that’s not in the keyring, resulting in tag2upload rejecting my upload. Please allow selecting the key to be used for signing using one or more of these: * DEB_SIGN_KEYID environment variable * DEBSIGN_KEYID variable in ~/.devscripts * a setting in the Git config, e.g. debpush.keyid, dgit.keyid etc.
Hello, This is a something of a minefield because there are also DEBFULLNAME and DEBEMAIL. In my ~/.devscripts I have both DEB_SIGN_KEYID and DEBSIGN_KEYID; I have no idea why. Do you have references for these two variables? It would be better to rely on existing env vars / config rather than adding new git config options.
Andrej Shadura writes ("Bug#1108267: git-debpush should allow selecting the key to sign with"):
your git is configured by default to use a name and email that don't
correspond to your key? But I don't think those influence key
selection at all.
Currently, git-debpush just uses git-tag and by default allows git-tag
to choose which key to use. I believe git-tag then just lets gnupg
decide.
I think your desired behaviour is that the git-debpush tag has the
your default git committer name/email but is signed by your Debian
key? Or do you want it to have a different name/email in the tag?
Sean Whitton writes ("Bug#1108267: git-debpush should allow selecting the key to sign with"):
Arguably we should use those for the tagger line in the tag?
Sean, you'll want to read RTFM debsign(1). It actually explains the
behaviour (!) See in particular its CONFIGURATION VARIABLES section,
and the description of `-mmaintainer`.
Open questions (which may overlap):
Q1. How mkuch do we want to mimic the behaviour of debsign (which in
turn is trying to mirror the behaviour of dpkg-source but AFAICT
with extra env vars) ?
Q3. What is the flow of information/defaults:
(a) Calculate the tagger line (name and email address) order.
Then use that as the default for the key username.
(b) Do the tagger name and email address separately from
the key username / keyid (so name/email address env vars and
command line options don't influence key selecction) ?
(c) Always just use the name/email from git for the tagger line,
and only allow overriding of the -u option to git-tag.
Q4. Which env vars are we going to use? DEBFULLNAME/DEBEMAIL are very
commonly set and many tools use them. DEBSIGN_KEY seems useful.
DEBSIGN_MAINT ?
Q5. Are we going to have the d/changelog Changed-by information
influence the tagger line and/or key selection? debsign does.
dgit allows the dchangelog to influence author/committer lines and
I think also tagger lines.
Ian.
Hi, Well, these are for changelog trailers/commit metadata. I sometimes use my work email in those, but that key is not in the Debian keyring. DEBSIGN_* is only used by debsign and only as a ~/.devscripts variable, not as an environment variable. DEB_SIGN_* is used by dpkg-buildpackage and only as an environment variable. I source ~/. devscripts from my ~/.profile and export some of those, likely you did something similar back in the day :) Yes, but OTOH dgit has already set the precedent.
Andrej Shadura writes ("Bug#1108267: git-debpush should allow selecting the key to sign with"):
Urgh, this is a bit of a mess, isn't it?
I'm pretty sure we don't want git-debpush to read ~/.devscrfipts.
Ian.
Hello,
I think we should leave it the same as the commit identity.
Thanks.
If people don't have to reconfigure anything and git-debpush just works,
and we don't make things completely incomprehensible to someone new who
hasn't (and may never) use debsign), that's a win.
(d) Always just use the name/email from git for the tagger line *but*
select a keyid intelligently based on DEBFULLNAME/DEBEMAIL ?
Hello, This won’t work as DEBFULLNAME/DEBEMAIL is what goes into the changelog, not what the uploads are signed with. In my case, DEBEMAIL is andrewsh@collabora.co.uk for some packages, but I don’t have that key in the Debian keyring. And I want to keep it that way. The usual upload workflow allows this, as does dgit.
What is blocking us here is the fact that we don't really know other people's use cases, and we've got hung up on DEBEMAIL etc. We think we know Andrej's use case. (I spoke to Andrej about this irl.) I suggest that we change git-debpush to honour DEBSIGN_KEYID in the environment (as debsign does) and call this bug done. It would override git config and the default, but be overridden by -u. I think this doesn't prevent us possiby honouring DEBEMAIL and DEBFULLNAME later (for tagger field, or key selectdion). Sean, does this SGTY? Ian.
Ian Jackson writes ("Re: Bug#1108267: git-debpush should allow selecting the key to sign with"):
I misread the debsign docs. I mean DEB_SIGN_KEYID in the envirionment
as dpkg-buildpackage does. (DEBSIGN_KEYID is only in ~/.devscripts.)
Ian.
Hello, Yes, I think this is okay. We should probably be willing to change our mind with an incompatible change if it turns out this is the wrong default for large numbers of people.
tags -1 + newcomer We think these bugs would make good places to start playing with src:dgit. Ian.
Adding to this one, My workflow is to have my commits to salsa signed by ssh-keys [1] on each machine so I can work when travelling on things and sign the commits, then upload when I'm home and reunited with my key. It didn't cross my mind that git-debpush would tag with that key, so my first t2u job failed tonight! [2] It makes logical sense, now I've thought about it at least. Making the guard rails a little stronger for forcing GPG and checking keyid would be a helpful bonus and avoid little sharp edges like this - I'll know next time and do some configuration in the interim. [1] https://salsa.debian.org/debian-hamradio-team/ax25-apps/-/commit/ 3e8c8270d8a7b4d68205efa1f0ed9a2820abda41# [2] https://tag2upload.debian.org/job/1046 Cheers, Hibby
Paul Gevers writes ("Re: [tag2upload 2388] rejected siridb-connector debian/2.1.6-1 https://salsa.debian.org/siridb-team/siridb-connector.git"):
git config dgit-distro.debian.keyid
git config dgit.default.keyid
This is documented in dgit(1).
But you probably meant to ask about git-debpush :-).
We don't have a feature for that yet. This is tracked in #1108267
where another user needed soemthing like this. I'm CCing that bug.
In the meantime it does have a `-u keyid` option. I appreciate that
that's not as convenient.
Ian.
Hi, I meant s/dgit/git-debpush/ indeed. Ack. If it matters, both my keys have the same names and addresses on them. Basically the one I use for git signing is my former Debian key and the other is my current key. So no heuristic can tell which key I need for uploading to the archive except those that use the keyring of the archive. Paul
Paul asked on irc whether git-debpush ought to honour the dgit.* git config keys. I think the answer is "yes". While git-debpush isn't dgit, I think git-debpush is allowed to look at the configuration for other programs, especially git config. I'll write a summary of what I think the behaviour should be. Ian.
git-debpush should have a way to configure the gpg key to use. It should look at the following places, in order: * command line -u option (already implemented) * git config option dgit-distro.$distro.keyid * git config option dgit.default.keyid * environment variable DEB_SIGN_KEYID This could be documented under the -u option in git-debpush. Ian.
git-debpush should have a way to configure the gpg key to use. It should look at the following places, in order: _ * command line -u option (already implemented) * git config option dgit-distro.$distro.keyid * git config option dgit.default.keyid * environment variable DEB_SIGN_KEYID _ This could be documented under the -u option in git-debpush.
git-debpush should have a way to configure the gpg key to use. See message 82 in this bug for details. (Sorry for the noise. This "summary" feature didn't do what I hoped.) Ian.