只有当您在系统上保留所有可用的私钥(不好的做法)时,才可能防止在可用的签名密钥之间进行自动选择 user.signingKey是在git 1.5.0(2007年1月)中引入的,其代码为commit d67778e: 不应该要求我在git仓库和gpg密钥中使用相同形式的名字。 此外,我可能在我的keyring中有多个密钥,并且可能想使用一个与我在提交消息中使用的地址不匹配的密钥。 此修补程序添加了一个配置条目“user.signingKey“(如果存在),该条目将被传递到gpg的“-u”开关,从而允许覆盖标记签名密钥。 这是在commit aba9119(git www.example.com)中强制执行1.5.3.2的,目的是为了捕获以下情况:If the user has misconfigured user.signingKey in their .git/config,或者只是他们的keyring中没有任何密钥。 备注:
按照约定,since git 2.4.0 March 2015是signingKey,而不是signingkey,即使git config键是不区分大小写的,这只有在你使用git config --get-regexp时才有意义,git config --get-regexp是区分大小写的,否则,它只是一个可读性约定;
Edit: As of Git version 1.7.9, it is possible to sign Git commits ( git commit -S ). Updating the answer slightly to reflect this. The question title is: Is there a way to “autosign” commits in Git with a GPG key? Short answer: yes, but don't do it. Addressing the typo in the question: git commit -s does not sign the commit. Rather, from the man git-commit page: -s, --signoff Add Signed-off-by line by the committer at the end of the commit log message. This gives a log output similar to the following:
± $ git log [0:43:31]
commit 155deeaef1896c63519320c7cbaf4691355143f5
Author: User Name
Date: Mon Apr 16 00:43:27 2012 +0200
Added .gitignore
Signed-off-by: User Name
Note the "Signed-off-by: ..." bit; that was generated by the -s flag on the git-commit . Quoting the release announcement email :
"git commit" learned "-S" to GPG-sign the commit; this can be shown with the "--show-signature" option to "git log".
So yes, you can sign commits. However, I personally urge caution with this option; automatically signing commits is next to pointless, see below: Just a side question, maybe commits shouldn't be signed, only tags, which I never create, as I submit single commits. That's correct. Commits are not signed; tags are. The reason for this can be found in this message by Linus Torvalds , the last paragraph of which says: Signing each commit is totally stupid. It just means that you automate it, and you make the signature worth less. It also doesn't add any real value, since the way the git DAG-chain of SHA1's work, you only ever need one signature to make all the commits reachable from that one be effectively covered by that one. So signing each commit is simply missing the point. I'd encourage a browse of the linked message, which clarifies why signing commits automatically is not a good idea in a far better way than I could.
However, if you want to automatically sign a tag, you would be able to do that by wrapping the git-tag -[s|u] in an alias; if you're going to do that, you probably want to setup your key id in ~/.gitconfig or the project-specific .git/config file. More information about that process can be seen in the git community book . Signing tags is infinitely more useful than signing each commit you make.
6条答案
按热度按时间pxy2qtax1#
注意:如果你不想一直添加
-S
来确保你的提交被签名,有一个建议(分支'pu
'现在是2013年12月,所以不保证它会被git发布)来添加一个config,它会为你处理这个选项。2014年5月更新:它在Git 2.0中(在resend in this patch series之后)
请参阅commit 2af2ef3与Nicolas Vigier (boklm):
添加
commit.gpgsign
选项以签署所有提交如果你想对所有的提交进行GPG签名,你必须一直添加
-S
选项。commit.gpgsign
配置选项允许自动签署所有提交。一个布尔值,用于指定是否所有提交都应进行GPG签名。
在执行诸如重定基之类的操作时使用此选项会导致大量的提交被签名。使用代理可能会很方便,以避免多次键入GPG密码。
该配置通常是针对每个存储库设置的(您不需要对您的私有实验性本地存储库进行签名):
您可以将其与用作全局设置的
user.signingKey
(用于您希望签署提交的所有存储库的唯一密钥)结合使用正如ubombi在评论中所建议的(并在“GPG Hardware Key and Git Signing“中解释,基于“How to Specify a User Id“)
当使用gpg时,可以附加感叹号(
!
)以强制使用指定的主键或辅键,而不是尝试和计算要使用哪个主键或辅键。请注意,Rik在注解中添加了以下内容:
如果你使用的是YubiKey(推荐),你不需要担心感叹号,因为你应该拥有的唯一的签名密钥是:
#
,表示它不可用,>
的秘密子密钥,表明它是一个指向YubiKey的存根,YubiKey是其applet中唯一可用的签名密钥。只有当您在系统上保留所有可用的私钥(不好的做法)时,才可能防止在可用的签名密钥之间进行自动选择
user.signingKey
是在git 1.5.0(2007年1月)中引入的,其代码为commit d67778e:不应该要求我在git仓库和gpg密钥中使用相同形式的名字。
此外,我可能在我的keyring中有多个密钥,并且可能想使用一个与我在提交消息中使用的地址不匹配的密钥。
此修补程序添加了一个配置条目“
user.signingKey
“(如果存在),该条目将被传递到gpg的“-u”开关,从而允许覆盖标记签名密钥。这是在commit aba9119(git www.example.com)中强制执行1.5.3.2的,目的是为了捕获以下情况:If the user has misconfigured
user.signingKey
in their.git/config
,或者只是他们的keyring中没有任何密钥。备注:
signingKey
,而不是signingkey
,即使git config
键是不区分大小写的,这只有在你使用git config --get-regexp
时才有意义,git config --get-regexp
是区分大小写的,否则,它只是一个可读性约定;git push --signed
没有考虑user.signingKey
的配置值;user.signingKey
来强制签署带注解的 tags 和提交:commit 61c2fe0中的一个。juud5qan2#
用您的密钥ID替换9E08524833CB3038FDE385C54C0AFCCFED5CDE14。请记住:It's never a good idea to use the short ID。
**更新:**根据a new git edict,所有配置键都应使用camelCase.
nfzehxib3#
Edit: As of Git version 1.7.9, it is possible to sign Git commits (
git commit -S
). Updating the answer slightly to reflect this.The question title is:
Is there a way to “autosign” commits in Git with a GPG key?
Short answer: yes, but don't do it.
Addressing the typo in the question:
git commit -s
does not sign the commit. Rather, from theman git-commit
page:-s, --signoff
Add Signed-off-by line by the committer at the end of the commit log message.
This gives a log output similar to the following:
Note the "Signed-off-by: ..." bit; that was generated by the
-s
flag on thegit-commit
.Quoting the release announcement email :
So yes, you can sign commits. However, I personally urge caution with this option; automatically signing commits is next to pointless, see below:
Just a side question, maybe commits shouldn't be signed, only tags, which I never create, as I submit single commits.
That's correct. Commits are not signed; tags are. The reason for this can be found in this message by Linus Torvalds , the last paragraph of which says:
Signing each commit is totally stupid. It just means that you automate it, and you make the signature worth less. It also doesn't add any real value, since the way the git DAG-chain of SHA1's work, you only ever need one signature to make all the commits reachable from that one be effectively covered by that one. So signing each commit is simply missing the point.
I'd encourage a browse of the linked message, which clarifies why signing commits automatically is not a good idea in a far better way than I could.
However, if you want to automatically sign a tag, you would be able to do that by wrapping the
git-tag -[s|u]
in an alias; if you're going to do that, you probably want to setup your key id in~/.gitconfig
or the project-specific.git/config
file. More information about that process can be seen in the git community book . Signing tags is infinitely more useful than signing each commit you make.jutyujz04#
要使自动签名在git 2.0版之前工作,你必须为提交添加git别名。
70gysomp5#
首先设置公钥,用于对所有提交、标记和推送进行签名。
在本例中,公钥为
F6EED39A
。现在运行以下命令。请注意,如果使用
push.gpgSign true
,并且服务器不支持签名推送,则推送将失败。另一种方法是使用:上面写着,如果服务器支持,就对所有推送进行签名。
现在你所有的提交、标签和推送都将自动由你给定的公钥签名。
有时您可能需要覆盖这些设置。
对于提交,请使用
git commit --no-gpg-sign -m "Unsigned commit"
对于标记,请使用
git tag --no-sign <tag-name>
对于推送,请使用
git push --no-signed
或--signed=false
。v09wglhw6#
你需要明确的是,如果你签署了一个commit或tag,并不意味着你批准了整个历史。在commit的情况下,你只签署了手头的修改,而在tag的情况下,好吧...你需要定义你的意思。你可能已经拉了一个变化,声称它是从你,但不是(因为别人把它推到了你的遥控器上)。或者这是一个你不想参与的改变,但你只是签了标签。
在典型的OSS项目中,这可能不太常见,但是在企业场景中,您只是偶尔接触代码,而不是阅读整个历史记录,这可能不会被注意到。
如果提交被重定基础或被其他父提交选中,那么对提交进行签名是个问题。但是如果修改后的提交可以指向“原始”提交,而该提交实际上是验证过的,那就更好了。