Reputation:
How do I cryptographically sign all commits on a branch?
I have PGP key that let's me sign the commits via git commit -S. To sign my last commit I did a git commit -S --amend --no-edit and it signed my commit.
Now, I want to sign all the commits that are there in the branch filtered.
I tried: git filter-branch --commit-filter 'git commit -S --amend --no-edit'
and it gives me an error message:
$ git filter-branch --commit-filter 'git commit --amend --no-edit -S' HEAD
Rewrite 07b0ac12f5fe1d8963d7ae0ac7fbda50cb6e74a9 (1/10)gpg: skipped "Anubhav Saini <[email protected]>": secret key not available
gpg: signing failed: secret key not available
error: gpg failed to sign the data
fatal: failed to write commit object
could not write rewritten commit
Another issue: raising another git commit --amend --no-edit -S results in:
(filter-test)$ git commit -S --no-edit --amend
You need a passphrase to unlock the secret key for
user: "Anubhav Saini <[email protected]>"
[filter-test c5ea180] Removing defer and async from scripts
4 files changed, 28 insertions(+), 28 deletions(-)
Questions
- How to batch sign the commit messages?
- What is raising another sign doing actually and behind the scene?
Upvotes: 7
Views: 1589
Answers (3)
Reputation: 10079
Make a backup of your repository before you get started:
tar czf my-repo-backup-2022-03-04.tar.gz ./my-repo
Sign all commits in since first commit without modifying commit date:
FIRST_COMMIT="$(git rev-list --max-parents=0 HEAD)"
git filter-branch --commit-filter 'git commit-tree -S "$@";' "${FIRST_COMMIT}"..HEAD
With help from GuyPaddock here and Chris Johnsen here.
Upvotes: 1
Reputation: 139621
Consider that rewriting history to sign all the commits in a branch may be overkill.
Because of the git object model, a commit exists in context. Signing the head commit alone also imputes your blessing to its immediate parent (or parents if it is a merge commit) as well as their parents in turn all the way back to day one of your repository.
This is why signing a tag for an official release, for example, is sufficient. Git objects are immutable because each one’s SHA-1 object name is derived from its content. Therefore, starting from a known trusted point allows you and others to chase pointers (which is what git log, git checkout, git fsck, and so on do behind the scenes) to verify integrity.
If you are working on unpublished history, consider condensing the history with git merge --squash or git rebase -i and signing the resulting commit.
Upvotes: 3
Reputation: 17455
probably you should setup a gpg-agent with a decent timeout for passphrase validity (enough to run the whole sequence of rewrites). See this Arch wiki page for help. Thus, can enter the passphrase once, before the rewrite, and then all invocation of gpg will use that unlocked key for a while.
Upvotes: 0
Related Questions
- How can I rename a local Git branch?
- How do I undo the most recent local commits in Git?
- How to check out a remote Git branch?
- How do I delete a Git branch locally and remotely?
- How do I squash my last N commits together?
- How do I undo 'git add' before commit?
- How do I change the author and committer name/email for multiple commits?
- How do I force "git pull" to overwrite local files?
- Reset local repository branch to be just like remote repository HEAD
- Move the most recent commit(s) to a new branch with Git