On Mon, 04 Nov 2013, Junio C Hamano wrote:

> Nicolas Vigier <bo...@mars-attacks.org> writes:
> 
> > If you want to GPG sign all your commits, you have to add the -S option
> > all the time. The commit.gpgsign config option allows to sign all
> > commits automatically.
> 
> I'm somewhat horrified to imagine the end-user experience this
> "feature" adds to the system; if one sets htis configuration and
> then runs "git rebase" or anything that internally creates or
> recreates commits, does one have to sign each and every commit, even
> if such a rebase was done merely as a trial run to see if a topic
> can be rebased to an older codebase, or something?

If the problem is users having to type their passphrase to sign each
commit, we can suggest using an agent in the option description :

  commit.gpgsign::
        A boolean to specify whether all commits should be GPG signed.
        Use of this option when doing operations such as rebase can
        result in a large number of commits being signed. It is therefore
        convenient to use an agent to avoid typing your gpg passphrase
        several times.


An example of why someone might want to use this option is :

You use git to store deployement scripts for some servers. Those
servers have a cron job that pull from the git repository and run the
scripts as root. Anyone with root access on the server hosting the git
repository can then gain root access to all your servers quite easily.
You want to avoid this, so you decide that all commits should be gpg
signed, and your servers will now do "git pull --verify-signatures".
People who work on this repository will want to set "commit.gpgsign"
so they don't have to add the -S option all the time.

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to