This Git error occurs when attempting to create a signed commit or tag using a GPG key that has been revoked. The revoked key is no longer valid for signing operations. You need to either generate a new key or use a different existing key for Git commit signing.
When you configure Git to sign commits or tags with GPG, Git invokes the GPG program to create cryptographic signatures. This error indicates that the GPG key you're using has been marked as revoked. A revoked key is one that the owner (or someone with the revocation certificate) has explicitly invalidated. This typically happens when: - The private key was compromised or suspected of compromise - The key owner no longer uses that email address - The key was lost and the owner has generated a new one - The key was created for testing purposes and is no longer needed Once a key is revoked, GPG refuses to use it for new signatures because doing so would defeat the purpose of revocation. The revocation is permanent and cannot be undoneβthis is by design to ensure security. Git checks for this condition when you attempt any signing operation, including `git commit -S`, `git tag -s`, or when you have `commit.gpgsign = true` in your Git configuration.
First, check which GPG key Git is configured to use:
git config --global user.signingkeyThen verify the status of this key in your GPG keyring:
gpg --list-secret-keys --keyid-format=longLook for your key in the output. A revoked key will show [revoked] or have an r flag. The output might look like:
sec rsa4096/ABC123DEF456 2020-01-15 [SC] [revoked: 2024-06-01]
ABCD1234EFGH5678IJKL9012MNOP3456QRST7890
uid [revoked] Your Name <[email protected]>Since revoked keys cannot be used, create a new GPG key:
gpg --full-generate-keyFollow the prompts:
1. Select key type: RSA and RSA (option 1) or ECC for modern systems
2. Key size: 4096 bits for RSA (recommended)
3. Expiration: Set an expiration date (1-2 years recommended)
4. Enter your name and email (must match your Git identity)
5. Set a strong passphrase
After generation, list your keys to get the new key ID:
gpg --list-secret-keys --keyid-format=longNote the key ID after sec rsa4096/ (e.g., ABC123DEF456789).
Update Git to use your new GPG key:
git config --global user.signingkey YOUR_NEW_KEY_IDReplace YOUR_NEW_KEY_ID with the key ID from the previous step.
If you haven't enabled commit signing, you can do so with:
git config --global commit.gpgsign trueVerify the configuration:
git config --global --get user.signingkeyExport your new public key:
gpg --armor --export YOUR_NEW_KEY_IDCopy the entire output including the -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK----- lines.
For GitHub:
1. Go to Settings > SSH and GPG keys > New GPG key
2. Paste the key and click "Add GPG key"
For GitLab:
1. Go to User Settings > GPG Keys
2. Paste the key and click "Add key"
You may also want to remove the revoked key from these platforms to avoid confusion.
Create a test signed commit to verify everything works:
git commit --allow-empty -S -m "Test signed commit"If successful, verify the signature:
git log --show-signature -1You should see output indicating a valid signature:
gpg: Signature made Mon 01 Jan 2024 12:00:00 PM UTC
gpg: Good signature from "Your Name <[email protected]>"If you have another valid (non-revoked) key you'd like to use instead:
gpg --list-secret-keys --keyid-format=longFind a key without the [revoked] status and configure Git to use it:
git config --global user.signingkey EXISTING_VALID_KEY_IDMake sure the email associated with this key matches your Git configuration:
git config --global user.email
gpg --list-keys EXISTING_VALID_KEY_IDThe emails should match for verified commits on GitHub/GitLab.
### Why Key Revocation is Permanent
GPG key revocation is designed to be irreversible for security reasons. Once a revocation certificate is imported, there's no way to "un-revoke" the key. This ensures that if a key is compromised and revoked, an attacker cannot simply remove the revocation.
If you accidentally revoked a key, your only options are:
- Generate a new key (recommended)
- If you still have the original key without the revocation, use that on a separate keyring (not recommended for production use)
### Handling Subkey Revocation
GPG keys can have subkeys for specific purposes (signing, encryption, authentication). If only a signing subkey was revoked but the master key is still valid, you can:
1. Create a new signing subkey:
gpg --edit-key YOUR_KEY_ID
gpg> addkey2. Select a signing-capable key type and follow the prompts
3. Save and exit:
gpg> save### Preventing Future Issues
Create a revocation certificate immediately after generating a new key:
gpg --gen-revoke YOUR_KEY_ID > revocation-certificate.ascStore this certificate securely offline. Only use it if your key is actually compromised.
Set key expiration:
Using expiring keys (1-2 years) is a good practice. You can extend expiration before it expires, but if you lose access, the key becomes unusable automatically.
### GPG Agent Issues
If you're getting caching issues after switching keys, restart the GPG agent:
gpgconf --kill gpg-agent
gpg-agent --daemon### Using SSH Signing Instead (Git 2.34+)
As an alternative to GPG, Git 2.34+ supports SSH key signing:
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pubThis can be simpler to manage than GPG keys for many workflows.
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git