The Unclear Impact

So today I realised that I forgot to add the global setting to make me automatically sign my git commits:

git config --global commit.gpgsign true

(Just setting up your user.signingkey isn’t enough.)

Also, you can go rebase your whole history to sign all your commits using:

git rebase --signoff --root

(However, you’ll end up with a linear history and lose any branch/merge history, etc.)

#git #commit #gpg #signatures #signedCommits #rebase #signoff

@aral git rebase --rebase-merges is a thing

@ikke Ooh, thanks, I’ll have a play tomorrow :)

@aral If I were looking at your history over time, rather than seeing a total rewrite (including rewriting hashes), I would prefer for you to add a single, signed, empty commit with a message along the following lines:

> I hereby assert that the current state of the code is as I expect. Signed, Aral.

That preserves history and tells the truth: you didn't sign each commit, but you are happy to sign the current state and will keep on doing so moving forward.

@samir Good shout, thanks.

I guess signing commits after a certain commit also implicitly makes that point.

(Also related: https://pleroma.marussy.com/objects/70b52bfb-d403-4109-a552-6dec5a6d68f6)

@aral@mastodon.ar.al I didn't know you could go back and sign your old commits!

@lewdum @julia Ah, good use case :)

@lewdum @julia Yep, any rewriting of history requires a force push.

@lewdum @julia (I just realised that sounds far more profound than it is.) :)