Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a way to "autosign" commits in Git with a GPG key?

Is there an easy way to make Git always signs each commit or tag that is created?

I tried it with something like:

alias commit = commit -S

But that didn't do the trick.

I don't want to install a different program to make this happen. Is it doable with ease?

Just a side question, maybe commits shouldn't be signed, only tags, which I never create, as I submit single commits for a project like Homebrew, etc.

like image 882
MindTooth Avatar asked Apr 15 '12 10:04

MindTooth


People also ask

How do you always sign commits?

To sign all commits by default in any local repository on your computer, run git config --global commit. gpgsign true .

What is GPG key in Git?

Add GPG keys to Git repository manager Here's how a GPG key looks on your account settings on GitHub. Run the command gpg --armor --export KEY-ID to get your GPG public key and add it to your repository manager. These keys are then used to generate badges to indicate if your commits are verified.


1 Answers

Note: if you don't want to add -S all the time to make sure your commits are signed, there is a proposal (branch 'pu' for now, December 2013, so no guarantee it will make it to a git release) to add a config which will take care of that option for you.
Update May 2014: it is in Git 2.0 (after being resend in this patch series)

See commit 2af2ef3 by Nicolas Vigier (boklm):

Add the commit.gpgsign option to sign all commits

If you want to GPG sign all your commits, you have to add the -S option all the time.
The commit.gpgsign config option allows to sign all commits automatically.

commit.gpgsign 

A boolean to specify whether all commits should be GPG signed.
Use of this option when doing operations such as rebase can result in a large number of commits being signed. It may be convenient to use an agent to avoid typing your GPG passphrase several times.


That config is usually set per repo (you don't need to sign your private experimental local repos):

cd /path/to/repo/needing/gpg/signature git config commit.gpgsign true 

You would combine that with user.signingKey used as a global setting (unique key used for all repo where you want to sign commit)

git config --global user.signingkey F2C7AB29!                                            ^^^ 

As ubombi suggests in the comments (and explain in "GPG Hardware Key and Git Signing", based on "How to Specify a User Id")

When using gpg an exclamation mark (!) may be appended to force using the specified primary or secondary key, and not to try and calculate which primary or secondary key to use.


user.signingKey was introduced in git 1.5.0 (Jan. 2007) with commit d67778e:

There shouldn't be a requirement that I use the same form of my name in my git repository and my gpg key.
Further I might have multiple keys in my keyring, and might want to use one that doesn't match up with the address I use in commit messages.

This patch adds a configuration entry "user.signingKey" which, if present, will be passed to the "-u" switch for gpg, allowing the tag signing key to be overridden.

This is enforced with commit aba9119 (git 1.5.3.2) in order to catch the case where If the user has misconfigured user.signingKey in their .git/config or just doesn't have any secret keys on their keyring.

Notes:

  • By convention, since git 2.4.0 March 2015, it is signingKey, not signingkey, even though the git config keys are case insensitive. That would matter only if you do git config --get-regexp, which is case sensitive, otherwise, it is only a readability convention;
  • If you want the git server to check the signature for each push, you will need git 2.2+ (Oct. 2014) at least (commit b945901), as git push --signed failed to consider the user.signingKey config value;
  • git 2.9 (June 2016) will use user.signingKey to force signing annotated tags as well as commits: commit 61c2fe0.
like image 55
VonC Avatar answered Sep 19 '22 18:09

VonC