All geek questions in one place

Retroactive git sign commits

Recent git versions (> = 1.7.9) support signing separate commits with GPG.

Is it possible to retroactively sign all commits inside a tree?

+4
source share
3 answers

retroactively sign all commits inside a tree?

Yes: add the tag that you would sign .
In fact, this is the preferred option when it comes to fixing the sign: sign all their elements via a tag, and do not sign them separately.
See " How to get pushing information in messages after receiving? "

Note (update may 2017) that only Git 2.13.x / 2.14 (Q3 2017) will completely fix the signing process, because " git cherry-pick " and other uses of sequencer equipment did not correctly handle the trailer block, the last line is an incomplete line.
This has been fixed so that after completing the existing incomplete line, an additional subscription is added, etc.

See commit 44dc738 (April 26, 2017) by Jonathan Tan ( jhowtan ) .
(the merger of Junio ​​C Hamano - gitster - on commit 6ebfa10 , May 16, 2017)

sequencer : add a new line before adding footers

When there is a commit message that does not end on a new line, the sequencer does not end the line before determining if an empty line should be added.
This causes the lines (cherry picked... and sign-off to sometimes appear on the same line as the last line of the commit message .

This behavior was introduced by commit 967dfd4 ("sequencer: use trailer", 2016-11-29). However, the return of this obligation will not solve this problem completely: prior to this commit, the corresponding footer was considered as inappropriate has_conforming_footer() , if there was no ending new line, as a result, both corresponding and inappropriate footers are treated the same when they should not be.

Fix this issue for both matching and inappropriate footers, and in do_pick_commit() and append_signoff() - always adding newline for the commit message if it does not end in one before checking the footer for compliance .

+2
source

The signature from git commit --gpg-sign (aka -S ) is part of the data used to generate the sha1 hash that identifies the commit. Therefore, retroactive signing requires a change in the identifier of each commit for which it was made.

If you really want you to be able to do something with git filter-branch , but it would be better to just sign new commits. Since the commit identifier of all ancestors will affect the data that will be signed by any new commit, this will still allow you to check the gpg of old commits with the new signed commits.

+4
source

You can try to create a new branch from the place where you want to start signing your commits. I recently did this for a branch that I created on a machine without access to my private key:

 # git checkout -b new-branch <last-signed-commit> # git cherry-pick <first-unsigned-commit> # git checkout unsigned-branch # git rebase new-branch

This requires your Git to be configured to automatically sign your commits, and obviously there shouldn't be too many commits, otherwise the permutation will look weird. When in doubt, cherry grab your commits; Each collected fixate will be signed.

0
source

Source: https://habr.com/ru/post/1447639/

More articles:


All Articles