Can you GPG sign old commits?
Git now has the ability to sign commits with git commit -S, which is great, but sometimes I forget the flag to commit, and sometimes I mail myself patches which I apply with am, and that command doesn't have a flag for signing.
Is there a way to add a signature to an already recorded commit?
- Go into interactive rebase mode.
-
Add the following line after each commit you want to sign
exec git commit --amend --no-edit -S
This will run this command after picking each commit.
UPDATE:
Easier way to do this is:
git rebase --exec 'git commit --amend --no-edit -n -S' -i development
This rebases everything till development (or any hash) and you don't have to copy paste after every commit.
Signing a commit changes its contents, so more recent commits depending on it will change their hash.
If you just want to sign the most recent commit, git commit -S --amend will work.
I use git rebase -i --root ( see Rewriting History ) and change pick to edit.
Then I use git commit -S --amend --no-edit && git rebase --continue (on Windows) for each commits.
This is manually sign for each commits. I hope we will found better solution.
If you need to GPG sign all commits SINCE a particular commit on the current branch, you can use the following instead:
git filter-branch --commit-filter 'git commit-tree -S "$@";' <COMMIT>..HEAD
Where <COMMIT> is the commit id (e.g. abc123e5).
This has the added benefit that it does not disturb the commit metadata (including commit date). The commit hashes will change, though (since it's a digest of the contents of each commit, and a signature is being added to each commit).
If you also would like to stop getting prompted for your GPG passphrase on every commit, also see this answer: https://askubuntu.com/a/805550
NOTE: Switching from gpg to gpg2 for GIT signing will require you to re-import your private key in GPG 2.