How do you approach signing git commits on many machines?

Question

Let's say I have my dot files and 2 computers

1. home computer
2. job computer

I have configured git, like this (inspired by https://dev.to/chakrit/multiple-identity-gitconfig-with-gpg-signing-8c0)

# default case
[include]
  path = config.personal

# when working with company-x
[includeIf "gitdir:**/company-x/**/.git"]
  path = config.company-x

where config files are

# home config
[user]
  name = Firstname Lastname
  email = [email protected]
  signingkey = some-key1

# job config
[user]
  name = Firstname Lastname
  email = [email protected]
  signingkey = some-key2

This is going to work on as long as I have some-key1 and some-key2 GPG keys on all machines, but I can't, can I? So what's the approach for that?

Should I separately generate all keys for all computers (like https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/#generating-a-gpg-key)?

Should I share my home key somehow or generate it on my job computer?

Should I sign my personal projects with my company key & email? I'd rather not. I'd like to have my personal email in my personal projects, regardless on which computer I did a commit.

Answer 1

Should I separately generate all keys for all computers

This is considered as a best practice, namely because:

• you can see from where you did your commits, based on the particular key used
• you can revoke a key (and update it) without invalidating all others.

If you want all your projects to:

• be on the same path company-x
• using the same global config (with different keys per machine)

You might consider, with Git 2.23+ using different branches name, one per machine (main-machine1, main-machine2, ...), each one pushing to the regular remote tracking origin/main of their respective repo.
That is because a conditional config file can also use the branch name for its includeIf directive.