Git notes are a feature to add meta-information to Git objects. See this Stackoverflow article for further details. Similar to commits, I also want to sign notes.
My local Git is configured to sign all commits. While signing Git commits works as expected, Git notes remain unsigned. In my local Git config I have the following:
# excerpt from ~/.gitconfig
[commit]
gpgsign = true
In order to sign notes, I tried the following.
# Create example repo
git init repo
cd repo
date >> DATE && git add DATE && git commit -m "update date"
# Commit has been signed (OK)
git show $( git rev-parse HEAD ) --show-signature
git notes add -m "Example note"
# Commit has a note now (OK)
git show $( git rev-parse HEAD ) --show-signature
# Note has not been signed (fail)
git log -p notes/commits --show-signature
How can I accomplish that the Git notes are signed, too?
Git does not natively support GPG signing notes.
However, you can manually sign notes as GPG clearsigned documents.
You can create a clearsigned note as
$ echo "My note" | gpg2 --clearsign --output=- | git notes add -F-
which will look something like this
$ git notes show
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
My note
-----BEGIN PGP SIGNATURE-----
iHUAARYIAB0WIQRV1AjJ09Fu2Xnxkhi7mQ+45Dv2eQUCZTRkw7AKCRC7mQ+45Dv2
eQUfAPwKhEDkoOGWqTvM1gZG6k1fMtTXRN4/ju+qG2X6rlAx54D/TNsHI2kzETqB
Pa6/9YKoJfH/JulcVNAvGuylOOrabww=
=U8vT
-----END PGP SIGNATURE-----
You can then verify the signature with gpg as
$ git notes show | gpg2 --verify
gpg: Signature made Sat 21 Oct 2023 07:54:40 PM EDT
gpg: using EDDSA key ABCDEFABCDEFABCDEFABCDEFABCDEFABCDEFABCD
gpg: Good signature from "Foo Bar <foo.bar@example.com>" [ultimate]
To extract just the note, you can use
$ git notes show | gpg2 --verify --output=- 2>/dev/null
My note