GPG Keys verify fail


I have trouble verifying my GPG key.
The key is self issued, no expiry date.
Currently I am signing all commits with that same key, all working OK.
When I click on “Verify”, the system provides a token and a place to paste the generated GPG signature.
The proposed method for generating the GPG signature is “echo “<token_number>” | gpg -a --default-key <key_ID> --detach-sig”, which I execute at the cmd prompt.
After entering my password for the certificate I get a “-----BEGIN PGP SIGNATURE----- xxx -----END PGP SIGNATURE-----” block in full ( xxx is a demo value, not to paste all in here ).
I copy/paste the generated signature block into the “Armored GPG signature” box, hit “Verify”.

On top of the page the following error message is stated:

The provided GPG key, signature and token do not match or token is out-of-date.

My Gitea user email address is the same as in certificate.
Is there any step I am missing?

Gitea Version: 1.15.6
Git Version: 2.34.0


I just verified this works with 1.15.6.

I see nothing wrong in the steps you describe. It probably is a :man_facepalming: problem (i.e. something creating the problem that is really simple… and that neither you or me are guessing :wink: )

I’m getting the same issue if I sign on Windows, but not if I sign on Linux. Probably something to do with that.

Same issue here, using gpg4win + Kleopatra with OpenPGP keys on windows 10. First it asks me to enter my public key, once I try to submit that it asks for a signature which I generate with the given command. Adding the generated signature and trying to submit results in: The provided GPG key, signature and token do not match or token is out-of-date.

Same here, gpg4win + Kleopatra fails but using wsl with GPG CLI works just fine

Same problem here. Found someone solution? I do not want to install WSL to all developers computers.

I’m having the same problem, and this is the only open thread I found on Google for this issue. Verification works when I do it on Linux, but not Windows.