CODEWITHSUNDEEP
gitgit-configgit-tag
sorin
sorin

Reputation: 170628

How to configure Git to always sign tags?

Few repositories I use require all tags to be signed and sometimes I forget to add the -s to git tag, or even worse, I create the tag using a Git GUI that has no idea about tags.

Is there a way to configure Git to always sign tags?

I tried adding the below hack(s) to .gitconfig but it didn't have any effect, tags were created without signature unless I manually mentioned the -s in the CLI.

[alias]
tag = tag -s

[tag]
forceSignAnnotated = true

[commit]
gpgsign = true

Upvotes: 35

Views: 11382

Answers (3)

VonC
VonC

Reputation: 1326994

Update for Git 2.23 (Q3 2019), you now have git config tag.gpgSign true!

Original answer (June 2018)

While there is no "signed by default" mode for git tag, the documentation mentions:

Once you have a private key to sign with, you can configure Git to use it for signing things by setting the user.signingkey config setting.

git config --global user.signingkey 0A46826A

By default, git tag in sign-with-default mode (-s) will use your committer identity (of the form Your Name <[email protected]>) to find a key.
If you want to use a different default key, you can specify it in the repository configuration as follows:

[user]
    signingKey = <gpg-keyid>

Note: if you create your tag with the -m option (tag -m "a comment" myTag), that make them annotated.

From git tag man page:

If -m <msg> or -F <file> is given and -a, -s, and -u <keyid> are absent, -a is implied.

So you could:

  • not define an alias for git tag (not add -s)
  • set from terminal git config tag.forceSignAnnotated true

That way, any git tag -m "a comment" myTag will trigger the gpgpSign.
Only for annotated tag, but since those are ones which are supposed to be not just local to your repo but also pushed, that should be enough.

Upvotes: 41

EliT
EliT

Reputation: 85

I don't know about the alias directive, but your [tag] and [commit] seem correct, and those are working for me. Just make sure (like Bjoern Rennhak) said that user.signingkey is also defined and using a valid key. Also check your git version, as 'forceSignAnnotated' was only made available as of Git version 2.9.0.

Upvotes: 0

phd
phd

Reputation: 94706

[alias]
tag = tag -s

You cannot override a builtin command with an alias. Use a different name for the alias:

[alias]
stag = tag -s

As for

[tag]
forceSignAnnotated = true

this forces annotated tags to be signed but you have to create annotated tags with git tag -a which is not much better that git tag -s.

Upvotes: 7

Related Questions