git - 有没有办法使用 GPG key 在 Git 中提交 "autosign"？

Question

有没有一种简单的方法可以让 Git 始终对创建的每个提交或标记进行签名？

我试过类似的东西:

alias commit = commit -S

但这并没有起到作用。

我不想安装其他程序来实现此目的。是否可以轻松实现？

只是一个附带问题，也许不应该对提交进行签名，只有标签，我从未创建过标签，因为我为 Homebrew 等项目提交了单个提交。

Answer 1

注意:如果您不想一直添加 -S 以确保您的提交已签名，则有一个建议(分支 'pu'现在，2013 年 12 月，所以不能保证它会成为 git 版本)添加一个配置，它将为你处理该选项。
2014 年 5 月更新:它在 Git 2.0 中(在 resend in this patch series 之后)

参见 commit 2af2ef3通过 Nicolas Vigier (boklm) :

添加 commit.gpgsign 选项来签署所有提交

If you want to GPG sign all your commits, you have to add the -S option all the time.
The commit.gpgsign config option allows to sign all commits automatically.

commit.gpgsign

A boolean to specify whether all commits should be GPG signed.
Use of this option when doing operations such as rebase can result in a large number of commits being signed. It may be convenient to use an agent to avoid typing your GPG passphrase several times.

---

该配置通常是按 repo 设置的(您不需要签署您的私有(private)实验性本地 repo ):

cd /path/to/repo/needing/gpg/signature
git config commit.gpgsign true

您可以将它与用作全局设置的 user.signingKey 结合使用(用于您要签署提交的所有 repo 的唯一 key )

git config --global user.signingkey F2C7AB29!
                                           ^^^

作为ubombi建议 the comments (并在“GPG Hardware Key and Git Signing”中解释，基于“How to Specify a User Id”)

When using gpg an exclamation mark (!) may be appended to force using the specified primary or secondary key, and not to try and calculate which primary or secondary key to use.

请注意 Rik添加 the comments :

If you're using something like a YubiKey (as recommended) you don't need to worry about the exclamation point because the only signing key(s) you should have available for a primary key-pair are:

• the primary key itself, which should have a # after it indicating it's not available,
• and the secret subkey with a > after it indicating it's a stub that points to the YubiKey as the only available signing key in its applet.

Only if you keep all your private keys available on your system (bad practice), then probably it would be a good idea to prevent auto-selection between available signing keys

---

user.signingKey 是在 git 1.5.0(2007 年 1 月)中引入的 commit d67778e :

There shouldn't be a requirement that I use the same form of my name inmy git repository and my gpg key.
Further I might have multiple keys in my keyring, and might want to use one that doesn't match up with the address I use in commit messages.

This patch adds a configuration entry "user.signingKey" which, if present, will be passed to the "-u" switch for gpg, allowing the tag signing key to be overridden.

这是通过 commit aba9119 强制执行的(git 1.5.3.2) 为了捕捉如果用户在他们的 .git/config 中错误配置了 user.signingKey 或者只是没有任何 key 的情况在他们的 key 圈上。

注意事项:

• 按照惯例，since git 2.4.0 March 2015 , 它是 signingKey, not signingkey ，即使 git config 键不区分大小写。仅当您执行 git config --get-regexp 时才有意义， 区分大小写，否则，它只是一种可读性约定；
• 如果你想要 git server to check the signature for each push ，您至少需要 git 2.2+(2014 年 10 月)(commit b945901)，如 git push --signed未能考虑 user.signingKey 配置值；
• git 2.9(2016 年 6 月)将使用 user.signingKey 强制签署带注释的 tags 以及提交:commit 61c2fe0 .