Is there a way to sign git commits with gpg? It's so easy with tags (using -s
instead of -a
), it seems there would be a similar function for commits.
Sign git commits with GPG
14.5k views Asked by austin1howard AtThere are 2 answers
Note: Adding the -S
option all the time can be cumbersome.
In git 2.0 and later, you can add a config which will take care of that option for you.
See commit 2af2ef3 by Nicolas Vigier (boklm):
Add the commit.gpgsign
option to sign all commits
If you want to GPG sign all your commits, you have to add the
-S
option all the time.
Thecommit.gpgsign
config option allows to sign all commits automatically.
commit.gpgsign
A boolean to specify whether all commits should be GPG signed.
Use of this option when doing operations such as rebase can result in a large number of commits being signed. It may be convenient to use an agent to avoid typing your GPG passphrase several times.
To set this globally on the command line:
git config --global commit.gpgsign true
With Git 2.27 (Q2 2020), "git rebase
" learned the "--no-gpg-sign
" option to countermand commit.gpgSign
the user may have.
See commit 5c5bac1, commit 4369d3a, commit 9da37fe, commit ae06ba6, commit cf0ad4d, commit c241371 (03 Apr 2020) by Đoàn Trần Công Danh (``).
(Merged by Junio C Hamano -- gitster
-- in commit fc3f6fd, 22 Apr 2020)
cherry-pick/revert
: honour--no-gpg-sign
in all caseSigned-off-by: Đoàn Trần Công Danh
{cherry-pick,revert} --edit hasn't honoured --no-gpg-sign yet.
Pass this option down to
git commit
to honor it.
Note that "git rebase --rebase-merges
"(man) did not correctly pass --gpg-sign
command line option to underlying "git merge
" when replaying a merge using non-default merge strategy or when replaying an octopus merge (because replaying a two-head merge with the default strategy was done in a separate codepath, the problem did not trigger for most users), which has been corrected with Git 2.30 (Q1 2021)
See commit 43ad4f2, commit 19dad04, commit ae03c97 (18 Oct 2020) by Samuel Čavoj (sammko
).
(Merged by Junio C Hamano -- gitster
-- in commit 73af6a4, 02 Nov 2020)
sequencer
: fix gpg option passed to merge subcommandSigned-off-by: Samuel Čavoj
When performing a rebase with
--rebase-merges
using either a custom strategy specified with-s
or an octopus merge, and at the same time havinggpgsign
enabled (either rebase-S
or configcommit.gpgsign
), the operation would fail on making the merge commit.Instead of "
-S%s
" with the key id substituted, only the bare key id would get passed to the underlying merge command, which tried to interpret it as a ref.Fix the issue and add test cases as suggested by Johannes Schindelin and Junio C Hamano.
And:
sequencer
: pass explicit--no-gpg-sign
tomerge
Signed-off-by: Samuel Čavoj
The merge subcommand launched for merges with non-default strategy would use its own default behaviour to decide how to sign commits, regardless of what
opts->gpg_sign
was set to.
For example the--no-gpg-sign
flag given to rebase explicitly would get ignored, ifcommit.gpgsign
was set totrue
.Fix the issue and add a test case exercising this behaviour.
Fixed in:
"git rebase --rebase-merges
"(man) did not correctly pass --gpg-sign
command line option to underlying "git merge
" when replaying a merge using non-default merge strategy or when replaying an octopus merge (because replaying a two-head merge with the default strategy was done in a separate codepath, the problem did not trigger for most users), which has been corrected with Git 2.30 (Q1 2021), .
See commit 43ad4f2, commit 19dad04, commit ae03c97 (18 Oct 2020) by Samuel Čavoj (sammko
).
(Merged by Junio C Hamano -- gitster
-- in commit 73af6a4, 02 Nov 2020)
sequencer
: fixgpg
option passed tomerge
subcommandSigned-off-by: Samuel Čavoj
When performing a
rebase
with--rebase-merges
using either a custom strategy specified with-s
or an octopus merge, and at the same time havinggpgsign
enabled (eitherrebase -S
or configcommit.gpgsign
), the operation would fail on making the merge commit.
Instead of "-S%s
" with the key id substituted, only the bare key id would get passed to the underlying merge command, which tried to interpret it as a ref.Fix the issue and add test cases as suggested by Johannes Schindelin and Junio C Hamano.
git commit -S
(requires git >= 1.7.9).