Red Hat Bugzilla – Bug 186963
how to sign CLA with subkey
Last modified: 2008-03-17 14:00:42 EDT
We likely need to update the email you send people in the CLA process as well as
the Wiki pages online; or maybe the email has a pointer to the Wiki, which can
have all kind of exceptions and use-cases resolved.
## begin email from Thomas Bleher
I tried to get an Fedora account and had real difficulties signing the
CLA so the script would accept it. I finally managed to do it and am
writing you so you can either fix the script or amend the documentation.
My key looks like this:
$ gpg --list-keys 'Thomas Bleher'
pub 1024D/B2F4ABE7 2004-01-30
uid Thomas Bleher <ThomasBleher@gmx.de>
uid Thomas Bleher <firstname.lastname@example.org>
uid Thomas Bleher <email@example.com>
uid Thomas Bleher (Used for Archive Signing) <firstname.lastname@example.org>
sub 1024g/2A40FB55 2004-01-30
sub 1024D/5314F77F 2004-02-18
Notice the subkey. Normally I use 5314F77F to sign everything. But the
script would always deny my request (I tried specifying both 5314F77F and
B2F4ABE7 as my GPG key on the "Edit Account" page but it didn't make a
It finally worked after I told gpg explicitly to sign the message with
my main key:
$ gpg -a -u B2F4ABE7! --sign fedora-icla-tbleher.txt
(Notice the ! which tells gpg that exactly this key should be used).
It would also be helpful if the reject mail included some information why the
signature failed to verify (the gpg command line and output would already help
a lot in some cases); in my case I first had a buggy gpg version which
produced invalid output (--clearsign worked but -a --sign did not) - if the
command output were included in the returned mail it would have been easier to
figure out the problem.
This problem should no longer exist in FAS2 (since GPG signed emails are no