gitsigngit-sign

Git sign off previous commits?

I was wondering how to sign(-s) off previous commits that I have made in the past in git?

CLARIFICATION: Git has confusingly similarly named concepts git commit -s, --signoff (lower case -s) and git commit -S, --gpg-sign (upper case -S).
This question is about signoff(lower case -s).
However some answers here are about gpg-sign(upper case -S), that better discussed in dedicated questions on superUser Can you GPG sign old commits? and stackoverflow Is there a way to gpg sign all previous commits?

Solution

  • To signoff the previous commit, use amend option:

    git commit --amend --signoff

    Since Git 2.13, you can use the --signoff rebase option to specify range of commits to signoff (credits to @sschuberth). Example to signoff last two commits:

    git rebase --signoff HEAD~2

    To signoff multiple commits using Git prior to version 2.13, use filter-branch and interpret-trailers as suggested by @vonc et. al. Here is what worked for me.

    First, configure git to replace the token sign by Signed-off-by. This has to be done only once and is needed in the next step.

    git config trailer.sign.key "Signed-off-by"

    The command git filter-branch with the switch --msg-filter will eval the filter once for each commit. The filter can be any shell command that receives the commit message on stdin and outputs on stdout. You can write your own filter, or use git interpret-trailers, which is indepotent. Here is an example that will signoff the latest two commits of the current branch using the current user and email:

    export SIGNOFF="sign: $(git config --get user.name) <$(git config --get user.email)>"
git filter-branch -f --msg-filter \
    "git interpret-trailers --trailer \"$SIGNOFF\"" \
     HEAD~2..HEAD

    Note 1) Modifying commit messages change the commit id, which means pushing over already published branches will have to be forced either with --force or better --force-with-lease.

    Note 2) if you intend to write your custom script, beware that git filter-branch changes the current directory to <repo>/.git-rewrite/t. Using a relative path to the script won't usually work. Instead, the script should be in your $PATH or provided as an absolute path.