How do I configure git to PGP sign my tags by default (not my commits)

Question

I currently have the following ~/.gitconfig:

[gpg]
    program = /usr/local/bin/krgpg
[commit]
    gpgSign = true
[tag]
    forceSignAnnotated = true

A commit requires me to sign using PGP:

git commit -m "Add package.json"
Krypton ▶ Requesting git commit signature from phone

However, I want to only sign my tags, and skip signing commits.

Question: Is there any way for me configure git to sign just my tags

I mean, short of aliasing:

$ git alias.tag 'tag -s'

Answer 1

With Git 2.23 (Q3 2019), you now have a new tag.gpgSign configuration variable, which turns "git tag -a" into "git tag -s"!

See commit 1c6b565 (05 Jun 2019) by Tigran Mkrtchyan (tigran1999).
^{(Merged by Junio C Hamano -- gitster -- in commit 492d7a5, 09 Jul 2019)}

tag: add tag.gpgSign config option to force all tags be GPG-signed

As many CI/CD tools don't allow to control command line options when executing git tag command, a default value in the configuration file will allow to enforce tag signing if required.

The new config-file option tag.gpgSign is added to define default behavior of tag signings.
To override default behavior the command line option -s, --sign and --no-sign can be used:

$ git tag -m "commit message"

will generate a GPG signed tag if tag.gpgSign option is true, while

$ git tag --no-sign -m "commit message"

will skip the signing step.

The git config for tag now includes:

tag.gpgSign:

A boolean to specify whether all tags should be GPG signed.

Use of this option when running in an automated script can result in a large number of tags being signed.
It is therefore convenient to use an agent to avoid typing your gpg passphrase several times.

Note that this option doesn't affects tag signing behavior enabled by "-u <keyid>" or "--local-user=<keyid>" options.