WSL Ubuntu: git gpg signing Inappropriate ioctl for device

[dotnetCarpenter]

• Your Windows build number: (Type ver at a Windows Command Prompt)
  Microsoft Windows [Version 10.0.17763.1]

• What you're doing and what's happening:
  Signing git commits with gpg is failing with:
  error: gpg failed to sign the data
  fatal: failed to write commit object

gpg --list-secret-keys --keyid-format LONG

/home/dotnet/.gnupg/pubring.kbx
-------------------------------
sec   rsa4096/C32DC3150633DD41 2019-05-09 [SC] [expires: 2021-05-08]
      7C085468A3D6FDD52C9999ADC32DC3150633DD41
uid                 [ultimate] dotnetCarpenter (Developer) <[email protected]>

git config -l

user.signingkey=C32DC3150633DD41
[email protected]
user.name=dotnetCarpenter
gpg.program=gpg

Quick repro

echo "test" | gpg --clearsign

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

test
gpg: signing failed: Inappropriate ioctl for device
gpg: [stdin]: clear-sign failed: Inappropriate ioctl for device

gpg --version

gpg (GnuPG) 2.2.4
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/dotnet/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

• What's wrong / what should be happening instead:
  git should sign my commit with my key.

• Strace of the failing command:
  echo "test" | strace -o gpg.strace -f gpg --clearsign
  gpg.strace

git --version: git version 2.17.1

[therealkenc]

echo "test" | gpg --clearsign

Needs more steps before the one liner (setting up gpg keys) and the strace log needs to be threaded (strace -f). There is on EIO in the log unfortunately, because the error looks like it is coming from gpg-agent. Here I get:

$ echo "test" | gpg --clearsign
gpg: no default secret key: No secret key
gpg: [stdin]: clear-sign failed: No secret key

[dotnetCarpenter]

• Strace of the failing command:
  echo "test" | strace -o gpg.strace -f gpg --clearsign
  gpg.strace

@therealkenc As I wrote above, the strace was done with echo "test" | strace -o gpg.strace -f gpg --clearsign, notice the -f. I regret that I do not understand the log, so I can not comment on the missing EIO. Can it be that the log is not complete?

You need to generate a key pair before you can encrypt/sign anything. See this guide: https://help.github.com/en/articles/managing-commit-signature-verification

Specifically this part: https://help.github.com/en/articles/generating-a-new-gpg-key

[therealkenc]

Apologies it was late when I wrote that, and I wasn't very clear at all. You did the strace correctly (which is appreciated). The problem is gpg-agent(1) is its own dog, and we can't see what it is doing. I don't have off-cuff steps for you capture gpg-agent atm.

https://help.github.com/en/articles/managing-commit-signature-verification

Yes, I know how to create gpg keys. But CLI repro steps per the template are a better way to get attention from an NT kernel developer who might or might not know, and might or might not be inclined to chase weblinks.

[dotnetCarpenter]

@therealkenc Thanks for the info. But these leaves me with 2 unsolved issues.

1. I have no idea to how I can capture debug information from gpg.
2. There is no way to reproduce the issue without generating a private signing key and I can not generate one for you (well, I could but you would still need to import it, which is more complicated than typing gpg --full-generate-key).

How do you propose I move this issue forward?

The error message Inappropriate ioctl for device is a general message, that appears in searches for a lot of Ubuntu Bash for Windows (UBW) issues. That makes me think that it's describing a general missing feature in UBW, alike to Not implemented, which makes me think that

NT kernel developers

would easily be able to pin point the missing feature.

From strace:

access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/gcrypt/hwf.deny", O_RDONLY) = -1 ENOENT (No such file or directory)

[dotnetCarpenter]

Ahh wait.. I know what is wrong.
My key has a passphrase but there is no prompt to enter the passphrase.
But then I read this: https://stackoverflow.com/a/55993078/205696
Step 3 is export GPG_TTY=$(tty), which sends the prompt to tty. After entering my passphrase, everything works.
echo "test" | gpg --clearsign

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

test
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfAhUaKPW/dUsmZmtwy3DFQYz3UEFAlzWzCYACgkQwy3DFQYz
3UHD3w//S23L6Xa92Bsfx9+urcNx9RD7uC2YTvlfRJ83HZdDjal1cwjzVOhBuVCW
4E/JBnwXDrtzV+RULdF1QyGoyYrgj8U+WHiTUFETWcooBIGs5fQ/NluPadx+aO1Z
BgP+UtQRLy6oRl09FUnuKFvbbOBbJro1HUm4mBMG9OfSb3UKkLx2LdLgArzyaN4e
uXnkDfmhIPQ947RE6T7r2Pc/Gyg9o4UYRJMItY80y2lN39yYvUGoAE7MTD+B/uh2
VRCfeV+py4HqRbuynsyoeU7/zxbArl6uVgRAiKW+YtOLDW3AFMMYpNJbVpjm6w2a
rAaiCvSP7v6Tgu5D3+Ta5I6KWV/TRJal6d7IWdX/kP3BuBfgxezcPujYjjVMkm7L
giLnw4doBsKDuwScuozoAR34bXV4x2EaVQbCrekGbk9TMwzAZgvyLxh/CIgBaCxr
n5TkANzFdke1Hurm9Nf+Lu6ez6qfKyxhU50MMAB5ULAIhBae9+OaFI7r5ADGQ5Gz
/dncajXrLpMuhfqGZ0vNDud53Y+/kFuc7QuUq1OT+BGu2+9eMTLe+AB37UCY0fdL
qppBgacMKJISypwUH8+OSvE9qYHZ4a+4odFajXOg7vsKZf+jUVD8WQF3CBUW1S/L
yPRahps8xNeUH7+l8pd3vaWQ3RbGWKe/EmlxxijQRWymtkk7nQg=
=SAVQ
-----END PGP SIGNATURE-----

And here you have it: dotnetCarpenter/FLjs@b0a3528, my first verified commit on Ubuntu Bash on Windows done via git commit -S --amend && git push -f.

So the question is now; do I configure gpg with export GPG_TTY=$(tty) in my .bashrc or is there another standard way (e.i. a special program that needs to be installed) to make sure gpg does not fail?

I have been using Ubuntu and Mint for years without ever having this issue. So it seems that UBW is missing a standard setup that has been implemented in Ubuntu for years.

[dotnetCarpenter]

From the strace I get:

access("/home/dotnet/.gnupg/gpg.conf-2.2.4", R_OK) = -1 ENOENT (No such file or directory)
access("/home/dotnet/.gnupg/gpg.conf-2.2", R_OK) = -1 ENOENT (No such file or directory)
access("/home/dotnet/.gnupg/gpg.conf-2", R_OK) = -1 ENOENT (No such file or directory)
access("/home/dotnet/.gnupg/gpg.conf", R_OK) = -1 ENOENT (No such file or directory)
access("/home/dotnet/.gnupg/options", R_OK) = -1 ENOENT (No such file or directory)

Perhaps setting something alike to export GPG_TTY=$(tty) in .gnupg/gpg.conf would be the correct way to setup gpg for UBW.

[therealkenc]

Perhaps setting something alike to export GPG_TTY=$(tty) in .gnupg/gpg.conf would be the correct way to setup gpg for UBW.

Dunno. WSL just kind of does what it is told at the syscall level, modulo bugs. Tagging this question, at least for now, because there doesn't seem to be an actionable diverge. [That's not a bad thing.] That ENOENT is because there is no ENT, natch. Might get better answers in a Ubuntu forum.

[dotnetCarpenter]

Well for now I get around it with the following in my .bashrc:

# enable passphrase prompt for gpg
export GPG_TTY=$(tty)

[woss]

this doesn't work in zsh either

[cakecatz]

@woss
I also use zsh.
At first I added it to the bottom of .zshrc and it didn't work, but when I added it to the top it worked.

[NirajanMahara]

Follow the below url to setup signed commit https://help.github.com/en/articles/telling-git-about-your-signing-key

if still getting gpg failed to sign the data fatal: failed to write commit object

this is not issue with git ,this is with GPG follow below steps

1. gpg --version

2. echo "test" | gpg --clearsign

if it is showing:

gpg: signing failed: Inappropriate ioctl for device
gpg: [stdin]: clear-sign failed: Inappropriate ioctl for device

3. then use export GPG_TTY=$(tty)

4. then try again echo "test" | gpg --clearsign in which PGP signature is.

Output:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

test
-----BEGIN PGP SIGNATURE-----

iLMEAQEKAB0WIQS2V0SFHi18psvDbo7uFF+LP7qc1gUCYLjB2QAKCRDuFF+LP7qc
1r5LBACB1m3Lpl21379qAvVamWcn9isdgdg34t34t43t34t34t434yGQHqikxWL7A5
Ls7giKZYscb30o0rkY6I1W9MjBBW96R2pnaYsioFpsf434dfg54rfdgfdgdfgdfpaIoU3k
JKrYxR7yMjqUv0a2jE+97kh+bSuzqwIkMHyikbABI90lY+4OLw==
=UHKx
-----END PGP SIGNATURE-----

5. git config -l | grep gpg

Output:

commit.gpgsign=true
gpg.program=gpg
tag.gpgsign=true

6. apply git commit -S -m "initial commit 🚀🚀🚀🚀"
7. or git config --global commit.gpgsign true

https://stackoverflow.com/questions/39494631/gpg-failed-to-sign-the-data-fatal-failed-to-write-commit-object-git-2-10-0/55993078#55993078

[bdotsamir]

Hello future travelers, I'm actually still having this issue. Yes, adding the GPG_TTY variable to my bashrc fixes the issue in a terminal, but it doesn't in VSCode, which is pretty much the only place I use git. Using the buttons to commit would normally work in a standard ubuntu environment, but in WSL, it can't open that extra X window needed to obtain my GPG passphrase.

How would I tell GPG to ask for my password using a gui instead of via the terminal? Because having to type echo "test" | gpg --clearsign every time I open VScode is pretty annoying.

[kilogold]

Hello future travelers, I'm actually still having this issue. Yes, adding the GPG_TTY variable to my bashrc fixes the issue in a terminal, but it doesn't in VSCode, which is pretty much the only place I use git. Using the buttons to commit would normally work in a standard ubuntu environment, but in WSL, it can't open that extra X window needed to obtain my GPG passphrase.

How would I tell GPG to ask for my password using a gui instead of via the terminal? Because having to type echo "test" | gpg --clearsign every time I open VScode is pretty annoying.

Just to close the loop:
https://www.39digits.com/signed-git-commits-on-wsl2-using-visual-studio-code

[georglauterbach]

Hello future travelers, I'm actually still having this issue. Yes, adding the GPG_TTY variable to my bashrc fixes the issue in a terminal, but it doesn't in VSCode, which is pretty much the only place I use git. Using the buttons to commit would normally work in a standard ubuntu environment, but in WSL, it can't open that extra X window needed to obtain my GPG passphrase.

How would I tell GPG to ask for my password using a gui instead of via the terminal? Because having to type echo "test" | gpg --clearsign every time I open VScode is pretty annoying.

Did you find a solution @bdotsamir?

[bdotsamir]

Unfortunately I did not, @georglauterbach. Shortly after posting that comment, I received a macbook pro as a gift, thus solving my issue of having to use WSL at all. Sorry 😭

[georglauterbach]

I see :) Against all odds, I figured out that my problem was the ~/.gnupg/gpp-agent.conf file, in particular the line with pinentry-program, but on my host. Removing that resolved my issue 🚀