How can I sign Git notes?

Question

Git notes are a feature to add meta-information to Git objects. See this Stackoverflow article for further details. Similar to commits, I also want to sign notes.

My local Git is configured to sign all commits. While signing Git commits works as expected, Git notes remain unsigned. In my local Git config I have the following:

# excerpt from ~/.gitconfig
[commit]
    gpgsign = true

In order to sign notes, I tried the following.

# Create example repo
git init repo
cd repo
date >> DATE && git add DATE && git commit -m "update date"

# Commit has been signed (OK)
git show $( git rev-parse HEAD ) --show-signature

git notes add -m "Example note"

# Commit has a note now (OK)
git show $( git rev-parse HEAD ) --show-signature

# Note has not been signed (fail)
git log -p notes/commits --show-signature

How can I accomplish that the Git notes are signed, too?

Answer 1

Git does not natively support GPG signing notes.

However, you can manually sign notes as GPG clearsigned documents.

You can create a clearsigned note as

$ echo "My note" | gpg2 --clearsign --output=- | git notes add -F-

which will look something like this

$ git notes show
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

My note
-----BEGIN PGP SIGNATURE-----

iHUAARYIAB0WIQRV1AjJ09Fu2Xnxkhi7mQ+45Dv2eQUCZTRkw7AKCRC7mQ+45Dv2
eQUfAPwKhEDkoOGWqTvM1gZG6k1fMtTXRN4/ju+qG2X6rlAx54D/TNsHI2kzETqB
Pa6/9YKoJfH/JulcVNAvGuylOOrabww=
=U8vT
-----END PGP SIGNATURE-----

You can then verify the signature with gpg as

$ git notes show | gpg2 --verify
gpg: Signature made Sat 21 Oct 2023 07:54:40 PM EDT
gpg:                using EDDSA key ABCDEFABCDEFABCDEFABCDEFABCDEFABCDEFABCD
gpg: Good signature from "Foo Bar <[email protected]>" [ultimate]

To extract just the note, you can use

$ git notes show | gpg2 --verify --output=- 2>/dev/null
My note

Answer 2

While Brian gave what's likely the more useful answer, it is technically possible to sign git notes using commit signatures. Git notes themselves are actually stored in their own git branch, which by default is refs/notes/commits. If you really want to sign a git note natively, you can first create the note and then amend the resulting note commit in the branch, like so:

git note add -m Test

# checkout the notes directory in a separate work tree
git worktree add ../repo-notes refs/notes/commits
cd ../repo-notes
git commit --amend -S <Your signing key>

I tried this myself and was worried that git wouldn't like the signature when using git notes again, but it displayed it just fine:

commit d4288a389ec3328fc62e1590508b57ae1c5b5458
Author: Me
Date:   Now

    fix: test example

Notes:
    Test