Signing commits is a longstanding practice, especially around tags (releases) for your projects, however, sometimes this must be done retroactively, especially if you hadn't been signing your commits/releases previously and don't wish to cut a new release simply to append your signature.
Getting your gitconfig setup for GPG signed commits is pretty straight forward. Get your key fingerprint from the output of
gpg -k and you'll see an output like this:
/Users/jmarhee/.gnupg/pubring.kbx --------------------------------- pub rsa2048 2020-06-15 [SC] [expires: 2022-06-15] <fingerprint> uid [ultimate] Joseph D. Marhee <email> sub rsa2048 2020-06-15 [E] [expires: 2022-06-15]
You'll then add it to your Git configuration so Git knows which key to sign your commits with:
git config --global user.signingkey <your Key ID>
and if you want to do this automatically on each commit, you'll also run:
git config commit.gpgsign true
and you're ready to modify your commits.
You'll start an interactive rebase:
git rebase -i --root
scroll until you find your commit in the pick list, then modify the keyword
pick to read
save, and then amend your commit to include the signature, and complete the rebase:
git commit -S --amend --no-edit git rebase --continue
and then push to your branch. One thing to keep in mind is that you sign using the same email address you're committing with (the one you provided when you generated your GPG key); this must match, for example, in order for sites like Github to mark the signature verified. You can update the commit (without updating your Git configuration default email address) using:
git commit --amend --author "Your Name <email@example.com>"
or setting this in your config to persist this for future commits:
git config --global user.email "firstname.lastname@example.org"