Git always asks me to enter a passphrase to unlock my secret key while signing a commit using.
git commit -S -m 'message'
How can I store in cache the password so that I don't have to enter it each and every time while signing the commit
You can disable this by running git config commit. gpgsign false This sets the configuration locally instead of globally.
About GPG keys GPG is a command line tool used together with Git to encrypt and sign commits or tags to verify contributions in Bitbucket. In order to use GPG keys with Bitbucket, you'll need generate a GPG key locally, add it to your Bitbucket account, and also set it up for use with Git.
You can sign commits locally using GPG or S/MIME. Note: GitHub Desktop only supports commit signing if your Git client is configured to sign commits by default. Tips: To configure your Git client to sign commits by default for a local repository, in Git versions 2.0.
Git never gets hold of the GnuPG passphrase. You must rely on GnuPG's capabilities of caching passphrases, which happens through gpg-agent
which are easily set up by editing ~/.gnupg/gpg-agent.conf
(hidden somewhere in your AppData
folder in Windows).
Set default-cache-ttl
to the number of seconds the passphrase is cached after each invocation of GnuPG. maximum-cache-ttl
sets the time after the passphrase was initially entered at which the cache is wiped. Make sure ignore-cache-for-signing
is not set -- otherwise GnuPG will ignore the cache for signing operations.
If you want to sign commits without any user interaction, you can prefill the cache through gpg-preset-passphrase
, often hidden somewhere in a location like /usr/lib/gnupg2/gpg-preset-passphrase
; or by running an arbitrary decryption or signing operation. You might also configure git to use an option like --passphrase [your passphrase]
to be passed to gpg
, but read up on the restrictions and security implications of this approach (it involves your passphrase being stored in plaintext somewhere).
Full list of options is here.
After updating to Ubuntu 18.04 all my previous solutions no longer worked, because gnome-keyring
no longer implements a GPG agent, and I couldn't get gpg-agent
to cache any passphrase.
Here's the solution that finally worked for me:
Create a script gpg-without-tty
:
#!/bin/bash echo $(secret-tool lookup gpgpassphrase $GPGKEY) | /usr/bin/gpg --batch \ --no-tty --pinentry-mode loopback --passphrase-fd 0 "$@"
Set your passphrase for $GPGKEY in gnome-keyring:
secret-tool store --label='Passphrase for GPG Key' gpgpassphrase $GPGKEY
Tell git to use the gpg-without-tty
script:
git config --global gpg.program /path/to/gpg-without-tty
You might also have to add the allow-loopback-pinentry
setting to ~/.gnupg/gpg-agent.conf
.
Update: While this worked locally it turns out that it somehow messed up the signatures: it signed the commits with the full 40-character fingerprint. GitHub didn't recognize these signatures as being valid. And when I looked at older commits that I had signed before updating to 18.04 (git log --show-signature
) they no longer showed up as valid. I ended up removing the gpg.program
setting in the git config. Turns out the problems I encountered were probably related to having that setting in the first place (which I used in the past to work around a different problem).
So, in short, running git config --global --unset gpg.program
was the answer to my problems after the update.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With