argo-cd: Unable to add GPG key with subkeys
Playing with the new GPG verification functionality, I’ve been unable to have ArgoCD verify a commit signed with my subkey.
- Add my signing subkey through the GUI (created via
gpg --export -a --export-options export-minimal 8D0448DB47D9F31EADF3B12DB7CC4EE4F818B84D!) - Notice that it created the GPG key with the ID of my master key (A37403A776EBF4E5)
- Under “Synced” in the GUI, observe: “Invalid signature from RSA key B7CC4EE4F818B84D”
If I manually edit the configmap to use B7CC4EE4F818B84D as a key instead of A37403A776EBF4E5 then I get the error:
Unable to load data: Key parsed for entry with key ID ‘B7CC4EE4F818B84D’ had different key ID ‘A37403A776EBF4E5’
About this issue
- Original URL
- State: open
- Created 4 years ago
- Reactions: 2
- Comments: 15 (9 by maintainers)
So if I print a gpg key using
and install that pub key (
gpg -a --export CCCCCCCCCCCCCC), argocd refers to it usingAAAAAAAAAAAAAAAAA. If I then use the gui to setGPG SIGNATURE KEYSfor a project, autocomplete suggestsAAAAAAAAAAAAAAAAA. If I then sign a commit withCCCCCCCCCCCCCCCCCCCargo refuses to deploy.Technically that pubkey is valid for
CCCCCCCCCCCCCCCCCCCbut that is not explicitly inGPG SIGNATURE KEYS. If you manually put inCCCCCCCCCCCCCCCCCCCthen it works fine. Its a gui issue where its not clear that you need to specify the sub key explicitly and the auto complete compounds it. The way the underlying logic works is fine and its good to be explicit in this case.A fix could be to make auto complete suggest subkeys, or put something in the docs.
I think the confusion arises because github treats the pubkey of
AAAAAAAAAAAAAAAAAas being valid forCCCCCCCCCCCCCCCCCCCwhen verifying commits rather than requiring it to be explicitly referenced. So you can have a situation where the same pubkey appears to be installed on github and argo, github allows the signed commit but argo says no.