Author: Chris Beams 2014-06-09 15:34:18
Published on: 2014-06-09T15:34:18+00:00
With the release of Git 2.0, automatic commit signing is now possible with the 'commit.gpgsign' configuration option. This means that interactively rebased or cherry-picked commits are also re-signed on the fly. Merging also works as expected with this feature turned on. However, a negative impact on speed when a large number of commits are involved has been identified. Any time you sign a commit, you're interacting with the gpg-agent daemon, and this is roughly an order of magnitude slower than signing without committing. For a single commit, this slowdown is negligible as it is still well below sub-second. Personally, Chris Beams thinks that in practice he'll be willing to deal with a few seconds' wait on those relatively rare occasions, and therefore he's going to keep auto-signing enabled for now (source). A compromise similar to signing tags, but would still work with the GitHub process, and leaves a trail after merge would be: if you submit a stack of commits, only sign the most recent one. As each commit contains the cryptographic hash of the previous commit, which in turns contains the hash of that before it up to the root commit, signing every commit if you have multiple in a row is redundant (source).
Updated on: 2023-06-08T23:12:56.698852+00:00