Git sign commits and tags
mouse 95 · person cloud · link
Last update
2024-04-18
2024
04-18
«github sign verification»

upload public ssh key to github

Settings > SSH and GPG keys > New SSH key > Key type = signing key > paste you public key

configure signing via SSH key

1
2
git config  gpg.format       ssh
git config  user.signingkey  ~/.ssh/id_ed25519  # private key

configure automatic signing

1
2
3
4
5
6
git config  commit.gpgSign  true
git config  tag.gpgSign     true

# create allowed keys list
git config  gpg.ssh.allowedSignersFile  .git/ssh_signers
echo "username@users.noreply.github.com `cat ~/.ssh/id_ed25519`" > .git/ssh_signers

verify signature in log

1
2
git config --global alias.logs 'log --show-signature'
git logs

optional: change all commits' email (w/o history change)

1
2
git config  user.email  "username@users.noreply.github.com"
git -c rebase.instructionFormat='%s%nexec GIT_COMMITTER_DATE="%cD" GIT_AUTHOR_DATE="%aD" git commit --amend --no-edit --reset-author' rebase -f --root

optional: sign all commits (w/o history change)

1
git filter-branch --commit-filter 'git commit-tree -S "$@";' -- --all

Note: filter-branch will strip signature in tags, you have to sign your tags again

1
`git tag`.split("\n").each{|t| system %Q|GIT_COMMITTER_DATE="$(git log -1 --format=%aD #{t})" git tag #{t} #{t}^{} -f -s -m #{t}|}; nil

push changes to remote overwriting everything

1
2
git push -f
git push -f --tags

Source: allowed keys list, change email respecting privacy, sign previous commits + gist, github verification / key / commits / tags