Just wanted to ask here if there were an easy way to make sure Git always signs each commit it creates, or tags that are created?
I tried it with something like:
alias commit = commit -S
Note: if you don't want to add
-S all the time to make sure your commits are signed, there is a proposal (branch '
pu' for now, December 2013, so no guarantee it will make it to a git release) to add a config which will take care of that option for you.
Update May 2014: it is in Git 2.0 (after being resend in this patch series)
commit.gpgsignoption to sign all commits
If you want to GPG sign all your commits, you have to add the
-Soption all the time.
commit.gpgsignconfig option allows to sign all commits automatically.
A boolean to specify whether all commits should be GPG signed.
Use of this option when doing operations such as rebase can result in a large number of commits being signed. It may be convenient to use an agent to avoid typing your GPG passphrase several times.
That config is usually set per repo (you don't need to sign your private experimental local repos):
cd /path/to/repo/needing/gpg/signature git config commit.gpgsign true
You would combine that with
user.signingKey used as a global setting (unique key used for all repo where you want to sign commit)
git config --global user.signingkey F2C7AB29
user.signingKey was introduced in git 1.5.0 (Jan. 2007) with commit d67778e:
There shouldn't be a requirement that I use the same form of my name in my git repository and my gpg key.
Further I might have multiple keys in my keyring, and might want to use one that doesn't match up with the address I use in commit messages.
This patch adds a configuration entry "
user.signingKey" which, if present, will be passed to the "-u" switch for gpg, allowing the tag signing key to be overridden.
This is enforced with commit aba9119 (git 18.104.22.168) in order to catch the case where If the user has misconfigured
user.signingKey in their
.git/config or just doesn't have any secret keys on their keyring.
signingkey, even though the
git configkeys are case insensitive. That would matter only if you do
git config --get-regexp, which is case sensitive, otherwise, it is only a readability convention;
git push --signedfailed to consider the
user.signingKeyto force signing annotated tags as well as commits: commit 61c2fe0.