How to fix error: gpg: Signature made with unavailable algorithm. Can't check signature: No public key in Git

GitINTERMEDIATELOW

This error occurs when GPG cannot verify a Git commit or tag signature because the signer's public key is missing from your keyring or an unsupported cryptographic algorithm was used. The fix involves importing the required public key from a keyserver or the signer directly.

What this error means

This error indicates that GPG (GNU Privacy Guard) failed to verify a cryptographic signature on a Git commit or tag. The signature verification process requires two things: the signer's public key in your GPG keyring and support for the cryptographic algorithm used to create the signature. When you run commands like `git verify-commit`, `git verify-tag`, `git log --show-signature`, or `git pull` on a repository with signed commits, Git invokes GPG to check the signatures. If GPG cannot find the public key that corresponds to the private key used to create the signature, it reports "Can't check signature: No public key." The "unavailable algorithm" variant of this error means the signature was created using a cryptographic algorithm that your version of GPG does not support or has disabled for security reasons. This commonly happens with older signatures that used SHA-1 or other deprecated algorithms, or when there's a version mismatch between the GPG that created the signature and yours.

How to fix "error: gpg: Signature made with unavailable algorithm. Can't check signature: No public key"

1Identify the missing key ID

First, find the key ID that GPG is looking for:

bash

# Check the signature on a specific commit
git log --show-signature -1 <commit-hash>

# Or verify a specific tag
git tag -v <tag-name>

Example output:

bash

gpg: Signature made Mon Jan 15 10:30:00 2024 UTC
gpg:                using RSA key 4AEE18F83AFDEB23
gpg: Can't check signature: No public key

The key ID is 4AEE18F83AFDEB23. Note this for the next steps.

To see all unverified commits:

bash

git log --show-signature --oneline | grep "Can't check"

2Import the public key from a keyserver

Use the key ID to fetch the public key from a public keyserver:

bash

# Import from Ubuntu keyserver (most reliable)
gpg --keyserver keyserver.ubuntu.com --recv-keys <KEY_ID>

# Or from keys.openpgp.org
gpg --keyserver keys.openpgp.org --recv-keys <KEY_ID>

# Example with a real key ID:
gpg --keyserver keyserver.ubuntu.com --recv-keys 4AEE18F83AFDEB23

Expected output:

bash

gpg: key 4AEE18F83AFDEB23: public key "User Name <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

If the keyserver is unreachable, try alternatives:

bash

# MIT keyserver
gpg --keyserver pgp.mit.edu --recv-keys <KEY_ID>

# keys.gnupg.net
gpg --keyserver hkps://keys.gnupg.net --recv-keys <KEY_ID>

3Import GitHub web-flow key (for GitHub-signed commits)

When commits are made via GitHub's web interface (editing files, merge buttons, squash merges), GitHub signs them with its own GPG key. Import this key to verify those commits:

bash

# Download and import GitHub's web-flow GPG key
curl https://github.com/web-flow.gpg | gpg --import

Expected output:

bash

gpg: key 4AEE18F83AFDEB23: public key "GitHub (web-flow commit signing) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

For GitLab:
GitLab does not currently sign web commits with a GPG key, so web edits on GitLab will not have GPG signatures.

Verify the import worked:

bash

gpg --list-keys --keyid-format long | grep -A 1 "github"

4Import a key from a file

If the signer provides their public key as a file (common in organizations):

bash

# Import from a .asc or .gpg file
gpg --import colleague-key.asc

# Import from a URL
curl https://example.com/team-member.gpg | gpg --import

Ask the signer to export their key:

bash

# They run this command:
gpg --export --armor [email protected] > their-public-key.asc

# Then share the .asc file with you

For project-wide keys stored in the repository:

bash

# Some projects store maintainer keys in a KEYS file
gpg --import KEYS

5Verify the signature after importing

After importing the key, verify the signature works:

bash

# Verify a specific commit
git verify-commit <commit-hash>

# Verify with detailed output
git log --show-signature -1 <commit-hash>

# Verify a tag
git verify-tag <tag-name>

Expected successful output:

bash

gpg: Signature made Mon Jan 15 10:30:00 2024 UTC
gpg:                using RSA key 4AEE18F83AFDEB23
gpg: Good signature from "User Name <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!

The "WARNING: This key is not certified" message is normal - it means you haven't personally verified and signed the key (Web of Trust). The signature is still cryptographically valid.

6Configure GPG for automatic key retrieval

Set up GPG to automatically fetch missing keys from keyservers:

bash

# Edit GPG configuration
nano ~/.gnupg/gpg.conf

Add these lines:

bash

# Automatically retrieve keys from keyserver
auto-key-retrieve

# Use Ubuntu keyserver by default
keyserver hkps://keyserver.ubuntu.com

Save and test:

bash

# Now verification will auto-fetch missing keys
git log --show-signature -1 <commit-with-unknown-key>

Note: Auto-retrieval may be slow and can leak information about what you're verifying to the keyserver.

7Handle algorithm compatibility issues

If you see "Signature made with unavailable algorithm" or "Invalid digest algorithm", the signature may use deprecated cryptography:

Check your GPG version:

bash

gpg --version

For GPG 2.3+ with SHA-1 signatures:
Modern GPG versions may reject SHA-1 signatures. You can temporarily allow them:

bash

# Add to ~/.gnupg/gpg.conf (use with caution)
allow-weak-digest-algos

Or verify with a specific flag:

bash

gpg --allow-weak-digest-algos --verify signature.asc file

Better solution: Contact the signer and ask them to re-sign with SHA-256 or SHA-512:

bash

# Signer should use stronger digest
gpg --digest-algo SHA512 --sign file

For unsupported key algorithms, you may need to upgrade GPG:

bash

# Ubuntu/Debian
sudo apt update && sudo apt upgrade gnupg

# macOS
brew upgrade gnupg

# Fedora/RHEL
sudo dnf upgrade gnupg2

8Skip signature verification (if not required)

If signature verification isn't critical for your workflow, you can disable or bypass it:

Disable for a single operation:

bash

# Clone without verifying signatures
git clone --config gpg.program=/bin/true https://github.com/user/repo.git

# Pull without verification
git -c gpg.program=/bin/true pull

Disable globally (not recommended for security-sensitive work):

bash

# Don't require valid signatures on merge
git config --global merge.verifySignatures false

# Skip tag verification
git config --global tag.gpgSign false

Note: Disabling signature verification removes an important security layer. Only do this if you understand the implications and trust the source through other means.

Advanced notes

### Understanding GPG Signature Status Codes

When using git log --show-signature or the %G? format specifier, GPG reports these status codes:

| Code | Meaning |
|------|---------|
| G | Good (valid) signature |
| B | Bad signature |
| U | Good signature with unknown validity |
| X | Good signature that has expired |
| Y | Good signature made by an expired key |
| R | Good signature made by a revoked key |
| E | Cannot check signature (missing key) |
| N | No signature |

bash

# Show status code for each commit
git log --format='%h %G? %s' --show-signature

### Trust Levels and the Web of Trust

After importing a key, you may want to set its trust level:

bash

# Edit key trust
gpg --edit-key <KEY_ID>
gpg> trust
# Select trust level (1-5)
# 5 = ultimate trust (for your own keys)
# 4 = full trust (for keys you've verified)
# 3 = marginal trust
gpg> quit

### Keyserver Configuration

If you frequently work with signed commits, configure your preferred keyserver:

bash

# ~/.gnupg/gpg.conf
keyserver hkps://keyserver.ubuntu.com
keyserver-options auto-key-retrieve
keyserver-options honor-keyserver-url

### Working with Expired Keys

Signatures made before a key expired are still valid. To verify old signatures:

bash

# Check when the key expired
gpg --list-keys <KEY_ID>

# The signature date matters, not current key status
# If signed before expiration, it's still a valid historical signature

### Corporate/Enterprise Key Distribution

In enterprise environments, distribute team GPG keys via:

1. Internal keyserver: Host a SKS or Hockeypuck keyserver
2. Git repository: Store team keys in a KEYS file
3. Configuration management: Deploy keys via Puppet, Ansible, or similar

bash

# Import all team keys from repository
git clone internal/team-keys.git
gpg --import team-keys/*.asc

### Debugging GPG Issues

For detailed GPG debugging:

bash

# Set debug output
export GPGME_DEBUG=9
git log --show-signature -1

# Check GPG agent status
gpg-connect-agent 'GETINFO version' /bye

# Restart GPG agent if needed
gpgconf --kill gpg-agent
gpgconf --launch gpg-agent

### Verifying Signatures in CI/CD

For CI/CD pipelines that verify commit signatures:

yaml

# .gitlab-ci.yml example
verify_signatures:
  script:
    - apt-get update && apt-get install -y gnupg
    - gpg --import ${TEAM_GPG_KEYS}
    - git verify-commit HEAD

yaml

# GitHub Actions example
- name: Import GPG keys
  run: |
    curl https://github.com/web-flow.gpg | gpg --import
    gpg --keyserver keyserver.ubuntu.com --recv-keys ${{ vars.TEAM_KEY_IDS }}

How to fix error: gpg: Signature made with unavailable algorithm. Can't check signature: No public key in Git

What this error means

Typical symptoms

Common causes

How to fix "error: gpg: Signature made with unavailable algorithm. Can't check signature: No public key"

Advanced notes

Related errors

Official resources & further reading