DEV Community

Cover image for Git: Fixing Unsigned GPG Commits
Zahra Khan
Zahra Khan

Posted on

Git: Fixing Unsigned GPG Commits

Before I started my job, all I knew how to do with Git was

git add .
git commit -m "commit message"
git push origin <branch-name>
Enter fullscreen mode Exit fullscreen mode

On my first day, I learned that I needed to set up a GPG key so that I could sign my commit messages.

What's the purpose of signing your commits?

GnuPG allows you to encrypt and sign your data and communications. GPG, or GNU Privacy Guard is a public key cryptography implementation. This allows for the secure transmission of information between parties and can be used to verify that the origin of a message is genuine.

Signing your commits allows you to have ownership over your work and your communication.

However, sometimes, I forget to sign my commits and have to go back and fix it 😅
Whoops GIPHY

It felt daunting at first because I was afraid I'd mess up my commits and therefore, my entire branch and get into a git mess. But as I've been religiously practicing Git, I'm getting more comfortable fixing my mistakes and figuring out solutions to conflicts.

The Solution

1 - Interactive Rebase. You want to begin the rebase at the commit just before the commit that needs to be modified. In my case, it turned out that NONE of my commits were signed after finishing up an entire project/task. So I had to go back and sign them all. I started at the very top of the commits:

git rebase -i 3a08ed4
Enter fullscreen mode Exit fullscreen mode

This will open a text editor that'll show all the commits you have in your branch. They'll all say pick next to each commit ID and the message.

Example:

pick 3a08ed4 added Summer playlist to Spotify
pick 5a68cc9 updated README for Summer Plans
pick 6ff7e5a removed spring header

# Rebase c6e777e..39574f2 onto c992o90 (3 commands)
#
# Commands: 
Enter fullscreen mode Exit fullscreen mode

(Or something like that)

2 - Replace pick with edit within the editor and save your changes with ESC and then :wq

So it would look like:

edit 3a08ed4 added Summer playlist to Spotify
edit 5a68cc9 updated README for Summer Plans
edit 6ff7e5a removed spring header

# Rebase c6e777e..39574f2 onto c992o90 (3 commands)
#
# Commands: 
Enter fullscreen mode Exit fullscreen mode

REMEMBER: I messed up and didn't have ANY of my commits signed. If you missed one, you'd only edit the one you didn't sign.

3 - Once you save your changes, git will bring you back to the command line. Here, you'll do:

git commit ---amend --no-edit -S 
Enter fullscreen mode Exit fullscreen mode

--amend : fix/change the previous commit message
--no-edit : use the existing commit message, no need to edit this.
-S : GPG-sign the commit.

4 - After you've fixed the commit, you'll run:

git rebase --continue
Enter fullscreen mode Exit fullscreen mode

5 - Lastly, to check that my commit has been signed, I'll run:

git log --show-signature
Enter fullscreen mode Exit fullscreen mode

Resources:
How To Use GPG to Encrypt and Sign Messages
GnuPG Documentation
Github Documentation

Top comments (6)

Collapse
 
michaelcurrin profile image
Michael Currin

Can you add to the article what happens if you don't sign?

GitHub doesn't block unsigned commits.

You just don't get the verified flag. Like the flag I get when committing in GitHub UI.

I'm guessing it doesn't impact most people. Maybe if you are contributing to a high profile repo and it is required by the maintainer. or you have people creating commits as your user (it does happen for people who are malicious or protesting but probably won't happen to you).

Collapse
 
za-h-ra profile image
Zahra Khan

Well no because this is specifically about going back to a previous commit to sign and I mentioned that I have to sign my commits for work.

Collapse
 
michaelcurrin profile image
Michael Currin

Oh sorry I missed that bit.

Collapse
 
mrsauravsahu profile image
Sahu, S • Edited

Nicely done. If you're sure you don't want to make any changes, just sign the commits, you can pass in the command in the git rebase command itself, something like,

git rebase -i <ref> --exec 'git commit --amend -S --no-edit'
Enter fullscreen mode Exit fullscreen mode
Collapse
 
michaelcurrin profile image
Michael Currin

How about a git alias for future commits?

So that git commit or even git co will run

git commit -S
Enter fullscreen mode Exit fullscreen mode
Collapse
 
zxce3 profile image
Zxce3

Nice post!!