On Thu, 30 Jan 2014 22:59:12 -0800 (PST)
Tom Wieczorek <t...@bibbu.net> wrote:

> I'd like to sign git commits with my GPG key after they have been 
> committed. I know that I can sign them at commit time using git -S.
> But, is it possible to sign a single commit afterwards? I use an IDE
> that doesn't support signing. So I'd like to add my signature to
> those commits from the command line. I also know that there is an
> autosign git config value, but this one scares me a bit. I'd like to
> sign commits proactively, not just by accident.

IIRC, you can't sign a commit after it has been created because, well,
it has been created already, and objects in the Git database are

So, basically, I'd say you have two possibilities:

* You should be able to amend the tip commit.  This would essentially
  replace it (that's what `git amend` does).  This should work for
  unpushed commits, and obviously only works for the tip commit
  (what HEAD points at).

* You might attach an annotated tag to any commit you like.
  Annotated tags may be signed, and that's what, say, Git project
  does to do releases: a signed annotated tag is attached to a commit
  which designates a released state.
  Use `git tag -a` for this.

I think the latter option is the most sensible.  The idea is that
there's no need to sign *each* commit because once you signed a tag,
you authenticated the whole subgraph of commits reachable from this
tag--simply because the tag references its commit by its SHA-1 name,
it, in turn, reference all the objects comprising the committed state
by the SHA-1 names of those objects, and its parent commits--by their
SHA-1 names as well.  Since we take SHA-1 names to be cryptographically
strong (exploitation of a collision attack for injection of
sensible malicious data into the repository is infeasible), by
attaching a signed annotated tag to a commit you effectively sign all
objects reachable from that one--even though they're not signed

Note that the Git repo even has the maintainer's public key injected
into it--for easier verification; it's done like this:

  $ git tag gpg-key $(git hash-object -w <my-gpg-pub.key)
  $ git push hub gpg-key

You received this message because you are subscribed to the Google Groups "Git 
for human beings" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to git-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to