Sign git commits with GPG

austin1howard picture austin1howard · Apr 9, 2012 · Viewed 10.6k times · Source

Is there a way to sign git commits with gpg? It's so easy with tags (using -s instead of -a), it seems there would be a similar function for commits.

Answer

VonC picture VonC · Dec 17, 2013

Note: Adding the -S option all the time can be cumbersome.
In git 2.0 and later, you can add a config which will take care of that option for you.

See commit 2af2ef3 by Nicolas Vigier (boklm):

Add the commit.gpgsign option to sign all commits

If you want to GPG sign all your commits, you have to add the -S option all the time.
The commit.gpgsign config option allows to sign all commits automatically.

commit.gpgsign

A boolean to specify whether all commits should be GPG signed.
Use of this option when doing operations such as rebase can result in a large number of commits being signed. It may be convenient to use an agent to avoid typing your GPG passphrase several times.

As Apteryx commented below:

To set this globally on the command line:

git config --global commit.gpgsign true

With Git 2.27 (Q2 2020), "git rebase" learned the "--no-gpg-sign" option to countermand commit.gpgSign the user may have.

See commit 5c5bac1, commit 4369d3a, commit 9da37fe, commit ae06ba6, commit cf0ad4d, commit c241371 (03 Apr 2020) by Đoàn Trần Công Danh (``).
(Merged by Junio C Hamano -- gitster -- in commit fc3f6fd, 22 Apr 2020)

cherry-pick/revert: honour --no-gpg-sign in all case

Signed-off-by: Đoàn Trần Công Danh

{cherry-pick,revert} --edit hasn't honoured --no-gpg-sign yet.

Pass this option down to git commit to honor it.


Note that "git rebase --rebase-merges"(man) did not correctly pass --gpg-sign command line option to underlying "git merge" when replaying a merge using non-default merge strategy or when replaying an octopus merge (because replaying a two-head merge with the default strategy was done in a separate codepath, the problem did not trigger for most users), which has been corrected with Git 2.30 (Q1 2021)

See commit 43ad4f2, commit 19dad04, commit ae03c97 (18 Oct 2020) by Samuel Čavoj (sammko).
(Merged by Junio C Hamano -- gitster -- in commit 73af6a4, 02 Nov 2020)

sequencer: fix gpg option passed to merge subcommand

Signed-off-by: Samuel Čavoj

When performing a rebase with --rebase-merges using either a custom strategy specified with -s or an octopus merge, and at the same time having gpgsign enabled (either rebase -S or config commit.gpgsign), the operation would fail on making the merge commit.

Instead of "-S%s" with the key id substituted, only the bare key id would get passed to the underlying merge command, which tried to interpret it as a ref.

Fix the issue and add test cases as suggested by Johannes Schindelin and Junio C Hamano.

And:

sequencer: pass explicit --no-gpg-sign to merge

Signed-off-by: Samuel Čavoj

The merge subcommand launched for merges with non-default strategy would use its own default behaviour to decide how to sign commits, regardless of what opts->gpg_sign was set to.
For example the --no-gpg-sign flag given to rebase explicitly would get ignored, if commit.gpgsign was set to true.

Fix the issue and add a test case exercising this behaviour.

Fixed in:

"git rebase --rebase-merges"(man) did not correctly pass --gpg-sign command line option to underlying "git merge" when replaying a merge using non-default merge strategy or when replaying an octopus merge (because replaying a two-head merge with the default strategy was done in a separate codepath, the problem did not trigger for most users), which has been corrected with Git 2.30 (Q1 2021), .

See commit 43ad4f2, commit 19dad04, commit ae03c97 (18 Oct 2020) by Samuel Čavoj (sammko).
(Merged by Junio C Hamano -- gitster -- in commit 73af6a4, 02 Nov 2020)

sequencer: fix gpg option passed to merge subcommand

Signed-off-by: Samuel Čavoj

When performing a rebase with --rebase-merges using either a custom strategy specified with -s or an octopus merge, and at the same time having gpgsign enabled (either rebase -S or config commit.gpgsign), the operation would fail on making the merge commit.
Instead of "-S%s" with the key id substituted, only the bare key id would get passed to the underlying merge command, which tried to interpret it as a ref.

Fix the issue and add test cases as suggested by Johannes Schindelin and Junio C Hamano.