Reputation: 9866
How do I configure git to PGP sign my tags by default (not my commits)
I currently have the following ~/.gitconfig:
[gpg]
program = /usr/local/bin/krgpg
[commit]
gpgSign = true
[tag]
forceSignAnnotated = true
A commit requires me to sign using PGP:
git commit -m "Add package.json"
Krypton ▶ Requesting git commit signature from phone
However, I want to only sign my tags, and skip signing commits.
Question: Is there any way for me configure git to sign just my tags
I mean, short of aliasing:
$ git alias.tag 'tag -s'
Upvotes: 12
Views: 3741
Answers (1)
Reputation: 1326994
With Git 2.23 (Q3 2019), you now have a new tag.gpgSign configuration variable, which turns "git tag -a" into "git tag -s"! You can enable it by default with:
git config --global tag.gpgSign true
See commit 1c6b565 (05 Jun 2019) by Tigran Mkrtchyan (tigran1999).
(Merged by Junio C Hamano -- gitster -- in commit 492d7a5, 09 Jul 2019)
tag: add tag.gpgSign config option to force all tags be GPG-signed
As many CI/CD tools don't allow to control command line options when
executing git tag command, a default value in the configuration file
will allow to enforce tag signing if required.
The new config-file option
tag.gpgSignis added to define default behavior of tag signings.
To override default behavior the command line option-s,--signand--no-signcan be used:$ git tag -m "commit message"will generate a GPG signed tag if
tag.gpgSignoption is true, while$ git tag --no-sign -m "commit message"will skip the signing step.
The git config for tag now includes:
tag.gpgSign:A boolean to specify whether all tags should be GPG signed.
Use of this option when running in an automated script can result in a large number of tags being signed.
It is therefore convenient to use an agent to avoid typing your gpg passphrase several times.Note that this option doesn't affects tag signing behavior enabled by "
-u <keyid>" or "--local-user=<keyid>" options.
A failed "git tag -s"(man) did not necessarily result in an error depending on the crypto backend, which has been corrected with Git 2.44.0 (Q1 2024), rc1.
See commit 6931049, commit abfbff6 (07 Feb 2024) by Junio C Hamano (gitster).
(Merged by Junio C Hamano -- gitster -- in commit 05c5a6d, 12 Feb 2024)
tag: fixsign_buffer()call to create a signed tagReported-by: Sergey Kosukhin
The command "
git tag -s"(man) internally callssign_buffer()to make a cryptographic signature using the chosen backend like GPG and SSH.The internal helper functions used by "
git tag"(man) implementation seem to use a negative return values are errors, zero or positive return values are not" convention, and there are places (e.g.,verify_tag()that callsgpg_verify_tag()) that these internal helper functions translate return values that signal errors to conform to this convention, butdo_sign()that callssign_buffer()forgets to do so.Fix it, so that a failed call to
sign_buffer()that can return the exit status frompipe_command()will not be overlooked.
Upvotes: 29
Related Questions
- How to configure Git to always sign tags?
- How can I stop git from use of GUI PGP key manager when signing a commit?
- How do I cryptographically sign all commits on a branch?
- Git GPG error signing tags
- Sign git commits with GPG
- How to set default uid of gpg key to sign commits and tags in git?
- I can’t get `git tag -s` to ask for my GPG password
- git gpg sign everything
- Git: Explain why it is not silly to Sign Commits/Tags using a PGP Key
- How to use gpg-agent to bulk sign git tags