Before I started my job, all I knew how to do with Git was
git add .
git commit -m "commit message"
git push origin <branch-name>
On my first day, I learned that I needed to set up a GPG key so that I could sign my commit messages.
What's the purpose of signing your commits?
GnuPG allows you to encrypt and sign your data and communications. GPG, or GNU Privacy Guard is a public key cryptography implementation. This allows for the secure transmission of information between parties and can be used to verify that the origin of a message is genuine.
Signing your commits allows you to have ownership over your work and your communication.
However, sometimes, I forget to sign my commits and have to go back and fix it 😅
It felt daunting at first because I was afraid I'd mess up my commits and therefore, my entire branch and get into a git mess. But as I've been religiously practicing Git, I'm getting more comfortable fixing my mistakes and figuring out solutions to conflicts.
The Solution
1 - Interactive Rebase. You want to begin the rebase at the commit just before the commit that needs to be modified. In my case, it turned out that NONE of my commits were signed after finishing up an entire project/task. So I had to go back and sign them all. I started at the very top of the commits:
git rebase -i 3a08ed4
This will open a text editor that'll show all the commits you have in your branch. They'll all say pick
next to each commit ID and the message.
Example:
pick 3a08ed4 added Summer playlist to Spotify
pick 5a68cc9 updated README for Summer Plans
pick 6ff7e5a removed spring header
# Rebase c6e777e..39574f2 onto c992o90 (3 commands)
#
# Commands:
(Or something like that)
2 - Replace pick
with edit
within the editor and save your changes with ESC
and then :wq
So it would look like:
edit 3a08ed4 added Summer playlist to Spotify
edit 5a68cc9 updated README for Summer Plans
edit 6ff7e5a removed spring header
# Rebase c6e777e..39574f2 onto c992o90 (3 commands)
#
# Commands:
REMEMBER: I messed up and didn't have ANY of my commits signed. If you missed one, you'd only edit
the one you didn't sign.
3 - Once you save your changes, git will bring you back to the command line. Here, you'll do:
git commit ---amend --no-edit -S
--amend
: fix/change the previous commit message
--no-edit
: use the existing commit message, no need to edit this.
-S
: GPG-sign the commit.
4 - After you've fixed the commit, you'll run:
git rebase --continue
5 - Lastly, to check that my commit has been signed, I'll run:
git log --show-signature
Resources:
How To Use GPG to Encrypt and Sign Messages
GnuPG Documentation
Github Documentation
Top comments (6)
Can you add to the article what happens if you don't sign?
GitHub doesn't block unsigned commits.
You just don't get the verified flag. Like the flag I get when committing in GitHub UI.
I'm guessing it doesn't impact most people. Maybe if you are contributing to a high profile repo and it is required by the maintainer. or you have people creating commits as your user (it does happen for people who are malicious or protesting but probably won't happen to you).
Well no because this is specifically about going back to a previous commit to sign and I mentioned that I have to sign my commits for work.
Oh sorry I missed that bit.
Nicely done. If you're sure you don't want to make any changes, just sign the commits, you can pass in the command in the git rebase command itself, something like,
How about a git alias for future commits?
So that
git commit
or evengit co
will runNice post!!