Git sign commits and tags
«github sign verification»
upload public ssh key to github
Settings >
SSH and GPG keys >
New SSH key > Key type = signing key > paste you public key
configure signing via SSH key
1
2 | git config gpg.format ssh
git config user.signingkey ~/.ssh/id_ed25519 # private key
|
configure automatic signing
1
2
3
4
5
6 | git config commit.gpgSign true
git config tag.gpgSign true
# create allowed keys list
git config gpg.ssh.allowedSignersFile .git/ssh_signers
echo "username@users.noreply.github.com `cat ~/.ssh/id_ed25519`" > .git/ssh_signers
|
verify signature in log
1
2 | git config --global alias.logs 'log --show-signature'
git logs
|
optional: change all commits' email (w/o history change)
1
2 | git config user.email "username@users.noreply.github.com"
git -c rebase.instructionFormat='%s%nexec GIT_COMMITTER_DATE="%cD" GIT_AUTHOR_DATE="%aD" git commit --amend --no-edit --reset-author' rebase -f --root
|
optional: sign all commits (w/o history change)
1 | git filter-branch --commit-filter 'git commit-tree -S "$@";' -- --all
|
Note: filter-branch
will strip signature in tags, you have to sign your tags again
1 | `git tag`.split("\n").each{|t| system %Q|GIT_COMMITTER_DATE="$(git log -1 --format=%aD #{t})" git tag #{t} #{t}^{} -f -s -m #{t}|}; nil
|
push changes to remote overwriting everything
1
2 | git push -f
git push -f --tags
|
Source:
allowed keys list,
change email respecting privacy,
sign previous commits +
gist,
github
verification /
key /
commits /
tags