Re: [PATCH] Add the commit.gpgsign option to sign all commits
Nicolas Vigier writes: > If the problem is users having to type their passphrase to sign each > commit, we can suggest using an agent in the option description: Yeah, that is probably a good idea. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Add the commit.gpgsign option to sign all commits
On Mon, 04 Nov 2013, Junio C Hamano wrote: > Nicolas Vigier writes: > > > If you want to GPG sign all your commits, you have to add the -S option > > all the time. The commit.gpgsign config option allows to sign all > > commits automatically. > > I'm somewhat horrified to imagine the end-user experience this > "feature" adds to the system; if one sets htis configuration and > then runs "git rebase" or anything that internally creates or > recreates commits, does one have to sign each and every commit, even > if such a rebase was done merely as a trial run to see if a topic > can be rebased to an older codebase, or something? If the problem is users having to type their passphrase to sign each commit, we can suggest using an agent in the option description : commit.gpgsign:: A boolean to specify whether all commits should be GPG signed. Use of this option when doing operations such as rebase can result in a large number of commits being signed. It is therefore convenient to use an agent to avoid typing your gpg passphrase several times. An example of why someone might want to use this option is : You use git to store deployement scripts for some servers. Those servers have a cron job that pull from the git repository and run the scripts as root. Anyone with root access on the server hosting the git repository can then gain root access to all your servers quite easily. You want to avoid this, so you decide that all commits should be gpg signed, and your servers will now do "git pull --verify-signatures". People who work on this repository will want to set "commit.gpgsign" so they don't have to add the -S option all the time. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Add the commit.gpgsign option to sign all commits
On Mon, Nov 04, 2013 at 03:43:37PM -0800, Junio C Hamano wrote: > Nicolas Vigier writes: > > > If you want to GPG sign all your commits, you have to add the -S option > > all the time. The commit.gpgsign config option allows to sign all > > commits automatically. > > I'm somewhat horrified to imagine the end-user experience this > "feature" adds to the system; if one sets htis configuration and > then runs "git rebase" or anything that internally creates or > recreates commits, does one have to sign each and every commit, even > if such a rebase was done merely as a trial run to see if a topic > can be rebased to an older codebase, or something? Probably so, but you can use an agent so this happens automatically. It's not very useful for people who don't use an agent. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: [PATCH] Add the commit.gpgsign option to sign all commits
On Mon, 04 Nov 2013, Junio C Hamano wrote: > Nicolas Vigier writes: > > > If you want to GPG sign all your commits, you have to add the -S option > > all the time. The commit.gpgsign config option allows to sign all > > commits automatically. > > I'm somewhat horrified to imagine the end-user experience this > "feature" adds to the system; if one sets htis configuration and > then runs "git rebase" or anything that internally creates or > recreates commits, does one have to sign each and every commit, even > if such a rebase was done merely as a trial run to see if a topic > can be rebased to an older codebase, or something? Yes, all rebased commits will be signed, even if it was done as a trial run. But I don't see this as a problem. The signature indicate who did the rebase. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Add the commit.gpgsign option to sign all commits
Nicolas Vigier writes:
> If you want to GPG sign all your commits, you have to add the -S option
> all the time. The commit.gpgsign config option allows to sign all
> commits automatically.
I'm somewhat horrified to imagine the end-user experience this
"feature" adds to the system; if one sets htis configuration and
then runs "git rebase" or anything that internally creates or
recreates commits, does one have to sign each and every commit, even
if such a rebase was done merely as a trial run to see if a topic
can be rebased to an older codebase, or something?
>
> Signed-off-by: Nicolas Vigier
> ---
> Documentation/config.txt | 3 +++
> builtin/commit-tree.c| 7 ++-
> builtin/commit.c | 4
> builtin/merge.c | 3 +++
> 4 files changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/config.txt b/Documentation/config.txt
> index ab26963d6187..4cfa557375a2 100644
> --- a/Documentation/config.txt
> +++ b/Documentation/config.txt
> @@ -988,6 +988,9 @@ commit.cleanup::
> have to remove the help lines that begin with `#` in the commit log
> template yourself, if you do this).
>
> +commit.gpgsign::
> + A boolean to specify whether all commits should be GPG signed.
> +
> commit.status::
> A boolean to enable/disable inclusion of status information in the
> commit message template when using an editor to prepare the commit
> diff --git a/builtin/commit-tree.c b/builtin/commit-tree.c
> index f641ff2a898c..1646d5b25e4f 100644
> --- a/builtin/commit-tree.c
> +++ b/builtin/commit-tree.c
> @@ -12,6 +12,8 @@
>
> static const char commit_tree_usage[] = "git commit-tree [(-p )...]
> [-S[]] [-m ] [-F ]
> +static const char *sign_commit;
> +
> static void new_parent(struct commit *parent, struct commit_list **parents_p)
> {
> unsigned char *sha1 = parent->object.sha1;
> @@ -31,6 +33,10 @@ static int commit_tree_config(const char *var, const char
> *value, void *cb)
> int status = git_gpg_config(var, value, NULL);
> if (status)
> return status;
> + if (!strcmp(var, "commit.gpgsign")) {
> + sign_commit = git_config_bool(var, value) ? "" : NULL;
> + return 0;
> + }
> return git_default_config(var, value, cb);
> }
>
> @@ -41,7 +47,6 @@ int cmd_commit_tree(int argc, const char **argv, const char
> *prefix)
> unsigned char tree_sha1[20];
> unsigned char commit_sha1[20];
> struct strbuf buffer = STRBUF_INIT;
> - const char *sign_commit = NULL;
>
> git_config(commit_tree_config, NULL);
>
> diff --git a/builtin/commit.c b/builtin/commit.c
> index 6ab4605cf5c2..cffddf210807 100644
> --- a/builtin/commit.c
> +++ b/builtin/commit.c
> @@ -1406,6 +1406,10 @@ static int git_commit_config(const char *k, const char
> *v, void *cb)
> }
> if (!strcmp(k, "commit.cleanup"))
> return git_config_string(&cleanup_arg, k, v);
> + if (!strcmp(k, "commit.gpgsign")) {
> + sign_commit = git_config_bool(k, v) ? "" : NULL;
> + return 0;
> + }
>
> status = git_gpg_config(k, v, NULL);
> if (status)
> diff --git a/builtin/merge.c b/builtin/merge.c
> index 02a69c14e6ab..fea27244557d 100644
> --- a/builtin/merge.c
> +++ b/builtin/merge.c
> @@ -604,6 +604,9 @@ static int git_merge_config(const char *k, const char *v,
> void *cb)
> } else if (!strcmp(k, "merge.defaulttoupstream")) {
> default_to_upstream = git_config_bool(k, v);
> return 0;
> + } else if (!strcmp(k, "commit.gpgsign")) {
> + sign_commit = git_config_bool(k, v) ? "" : NULL;
> + return 0;
> }
>
> status = fmt_merge_msg_config(k, v, cb);
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
