Re-signing git commits


Git allows you to sign commits using a GPG key, as a way to prove that a commit that looks like it was made by you was in fact made by you. Perusers of the git history can the verify the signature by running git log --show-signatures. On Github, it's even easier to verify, as Github will add a green "Verified" stamp next to the commit, giving a quick visual indication that the signature came from a GPG key that you have asserted as your own in the Github settings. You can view the signing history for the git repository of this website here. By default, Github will add that stamp to verified commits, and leave any commits that were not signed without a stamp. However, it's possible to activate "Vigilant mode" in the GPG settings of Github, in which case any unsigned commit is flagged with a yellow "Unverified" stamp. Since I'm planning on signing all my commits going forward, I've enabled vigilant mode on my account, but now I'm faced with the eyesore of seeing yellow stamps next to all the commits I made in my halcyon pre-GPG days. This can not stand.

I started exploring if it was possible to retroactively sign commits, and ended up with a pretty neat solution. The full command is git rebase --root --gpg-sign --committer-date-is-author-date. --root makes sure we rebase all the commits on the current branch back to our initial commit. --gpg-sign adds our shiny GPG signature to each commit. By default, git views these commits as new, and so updates the history to show that all our commits happened today. In order to retain the actual commit date for each commit, we add the final component: --committer-date-is-author-date.

So there you have it, a way to retroactively sign all your git commits on a branch. Even though we fixed the most obvious sign of us messing with the git history, it's worth noting that this will most likely cause issues with any open branches that branched from the old history. We're effectively rewriting the whole git history, with new commit hashes and all - you will need to force-push the new branch to update the view on Github.. It's up to you whether the green badges are worth it. Caveat lector, and godspeed.

Comment via email