fatal: the receiving end does not support --signed push

[shivajipotnuru]

Hi, my Github Org has a hook setup , that rejects any commit that is not signed with GPG key.

So i've created a Service account , Created a new GPG key for that service account & configured my GIthub workflow to import the GPG key.

Here is how i am importing my GPG key & installing the semantic release:

- name: Import GPG key
        run: |
          openssl enc -d -aes-256-cbc -in git_gpg_keys.asc.enc -out /tmp/git_gpg_keys.asc -pass pass:$GPG_PASSPHRASE -pbkdf2
          chmod 600 /tmp/git_gpg_keys.asc
          # Import the gpg key
          gpg --batch --yes --import /tmp/git_gpg_keys.asc
          # Create a script to pass the passphrase to the gpg CLI called by git
          echo '#! /bin/bash' > /tmp/gpg-with-passphrase
          echo -n "$(which gpg) --pinentry-mode loopback --passphrase '$GPG_PASSPHRASE' --no-tty " >> /tmp/gpg-with-passphrase # -n = no new line for the next "echo" to works properly ; also quoted and env-ed because the passphrase could contains special chars like "$"
          echo '"$@"' >> /tmp/gpg-with-passphrase # prevent interpreting "$@" and render it as is for the bin
          chmod +x /tmp/gpg-with-passphrase # can be more secure if needed
          git config --global user.signingKey "${{ secrets.GPG_KEY_ID }}"
          git config --global commit.gpgSign true
          git config --global tag.gpgSign false
          git config --global push.gpgSign true
          git config --global gpg.program /tmp/gpg-with-passphrase
        env:
          GPG_PASSPHRASE: ${{ secrets.GPG_KEY_PASSPHRASE  }}
          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID  }}
- name: Install dependencies & Release
        run: |
          npm install
          npx semantic-release --debug

i am receving this error. Could someone please help me?

[travi]

Please share your config. Are you committing during your release with this plug-in? Is this commit what is failing, or is it rejecting the tag?

[shivajipotnuru]

Hi , Thanks for replying back , here is my config file.

.releaserc.json

{
    "tagFormat": "${version}",
    "branches": [
      "main",
      {
        "name": "develop",
        "channel": "beta"
      },
    {
      "name": "release-*",
      "prerelease": "true"
    },
     {
      "name": "test*",
      "channel": "alpha"
     }
    ],
    
    "plugins": [
      "@semantic-release/commit-analyzer",
      [
        "@semantic-release/release-notes-generator",
        {
          "preset": "conventionalcommits",
          "presetConfig": {
            "types": [
              { "type": "feat", "section": "Added", "hidden": false },
              { "type": "fix", "section": "Fixed", "hidden": false },
              { "type": "perf", "section": "Changed", "hidden": false },
              { "type": "refactor", "section": "Changed", "hidden": false },
              { "type": "test", "section": "Added", "hidden": false },
              { "type": "revert", "section": "Changed", "hidden": false },
              { "type": "docs", "section": "Docs", "hidden": true },
              { "type": "style", "section": "Styles", "hidden": true },
              { "type": "chore", "section": "Chores", "hidden": true },
              { "type": "build", "section": "Added", "hidden": false },
              { "type": "ci", "section": "Changed", "hidden": false }
            ]
          }
        }
      ],
      [
        "@semantic-release/changelog",
        {
          "changelogFile": "CHANGELOG.md",
          "changelogTitle": "# Changelog"
        }
      ],
      [
        "@semantic-release/git",
        {
          "assets": [
            "CHANGELOG.md"
          ],
          "message": "chore(release): update changelog for ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
        }
      ],
      [
        "@semantic-release/github",
        {
         "githubUrl": "https://github.<org>.com",
         "githubApiPathPrefix": "/api/v3"
        }
      ]
    ]
  }

I am not able to pin point where exactly is the issue☹️😭

When the below command is true , i recieve the above error.
git config --global push.gpgSign true

When i change the push.gpgsign to false , i recieve the below mentioned error.

git config --global push.gpgSign false
error:

[shivajipotnuru]

Hi , Can someone please help me out here?🙄

[travi]

Hi , Can someone please help me out here?🙄

please avoid pressuring our maintenance team to respond more quickly. we are volunteer maintainers and do not support this project as a full time role. we do our best to help when we are able, but pressuring for faster responses is more likely to result in us being discouraged from interacting than resulting in a faster answer.

When i change the push.gpgsign to false , i recieve the below mentioned error.

i do not know the details of the hook you are working with, but it appears that it is not requiring the push to be signed, but instead the refs that are pushed. i would expect that native git should be enabling you to sign any actual commits, but as a reminder, we discourage making commits during your release if they can be avoided in the context of your project. since it looks like you are only making commits for the changelog file and it appears that you are using github, we instead encourage using github's releases for sharing the release notes for your releases. if you do not make commits during your release, there are no commits to sign, so there is complexity that you could avoid.

from the last error you provided (side note: please provide the actual text output as a text block instead of screenshots), it looks like the detail that is being rejected is our use of git notes. those are refs, but a form of ref that git does not natively sign. based on a quick search, here is some confirmation of that point: https://stackoverflow.com/questions/77338186/how-can-i-sign-git-notes#answer-77338208. because git does not natively support signing of notes, we have no intention of enabling any sort of support for signing notes in the core of semantic-release. you will likely need to work with whoever has defined the hook you describe to refine it in a way that it does not prevent pushing git notes, even though they will not be signed.

the last part of the equation would be the tag that is added by our core. there are some complexities around signing tags with semantic-release that we have existing conversations happening about. for now, it is best to expect that tags created by semantic-release cannot be signed and there is no defined timeline around that capability even being decided on. if you get your hook updated to allow unsigned git notes and then find that it errors because of an unsigned tag, you may need to make a similar adjustment for that as well.