git

How to retroactively sign all commits in a branch

/ Leave a Comment

If you haven’t set up GPG signing, check out my previous post on this here.

Say you created a new branch from main called my-branch. This guide will help you to sign all of the commits that are in my-branch that are not in main.

For starters, do a git fetch origin so that we are up to date with remotes. Be on my-branch. Ensure that you are rebased correctly from the main branch. This is not so important but will keep things clean and make it easy to merge later.

git rebase origin/main

Resolve conflicts, if any. Ensure clean state. Now to retroactively sign commits on my-branch, run:

git rebase --exec 'git commit --amend --no-edit -n -S' -i origin/main

Being on my-branch basically what you are saying here is that:

  1. Start an interactive rebase from the last known commit that is on origin/main, rolling back temporarily.
  2. For every commit, execute (--exec) git commit command, amending each commit without modifying its contents and signing every commit

Hope this helps.

Enabling git-GPG signed commits on MacOS

/ 1 Comment

Install gpg via Homebrew.

brew install gnupg

Here you can generate keys yourself or import an existing key.

gpg --generate-key
// OR
gpg --import path/to/secret.asc

Now we tell git what key we want to use. Run this command to list your keys:

gpg --list-secret-keys --keyid-format=long

You should see some output like below, copy the highlighted section:

sec   rsa2048/9A9A9A9A9A9A9A9A 2015-05-01 [SC]

Then set it as user.signingkey in git config

git config --global user.signingkey 9A9A9A9A9A9A9A9A

Tell git to sign commits and which program to use

git config --global commit.gpgsign true 
git config --global gpg.program gpg

In your bash profile set the following to allow for passphrase entry:

export GPG_TTY=$(tty)

Alternatively you can use the pinentry tool from homebrew.

Thats it! From now on, any new commits will be automatically signed. The program might ask you for your passphrase through your mechanism of choice (terminal/pop up etc).