Signing Git commits in NeoVim
source link: https://sbulav.github.io/vim/neovim-signing-git-commits/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
While all commits to GitHub through the web interface are automatically signed, you have to do some configuration to make it work in the console.
Signing Git commits might be a requirement for your job, OpenSource maintainers might only accept signed contributions or you might just want to increase the security of your workflow.
I couldn’t find any existing article on how to set up signing commits in the NeoVim, so I’ll share my findings in this post.
Create a new GPG key and attach it to your Github account.Permalink
As the first step, you have to generate a new GPG key. This is greatly described in the Generating a GPG key article.
Make sure that you’re using the correct email and that you won’t forget the password.
Once this is done, Add a new GPG key as per the article.
Configure Git to sign commitsPermalink
Next step is to amend your .gitconfig so that every commit is signed:
[user]
; Make sure that email matches one in the GPG key
email = [email protected]
name = Sergei Bulavintsev
; GPG key ID
signingkey = 7C43420F61CECAAA
[commit]
gpgsign = true
Now you will be prompted to enter the GPG password when you’ll try to commit anything in the terminal. To avoid typing the password every time, it is cashed via GPG agent.
Configure GPG to work with NeoVimPermalink
To make NeoVim ask for your GPG password, we need to set pinentry mode to
loopback, as per documentation:
GPGME_PINENTRY_MODE_LOOPBACK
SINCE: 1.4.0
Redirect Pinentry queries to the caller. This enables the use of gpgme_set_passphrase_cb because pinentry queries are redirected to gpgme.
To do this, edit .gnupg/gpg-agent.conf:
default-cache-ttl 28800
max-cache-ttl 28800
allow-loopback-pinentry
And .gnupg/gpg.conf:
use-agent
pinentry-mode loopback
Now reload the agent:
gpgconf --reload gpg-agent
If you’ve configured everything correctly, you’ll see Enter passphrase
in the NeoVim:
This approach works with any Git plugin, such as Fugitive or LazyGit. By using cache with TTL 28800, the password has to be entered only once per day.
To check that your commit has been signed correctly:
git log --show-signature
You should see something like this:
Signing commits for multiple emailsPermalink
If you use the same GitHub account for both personal purposes(for example, OpenSource contributions) and for work, you might want to use different emails and GPG keys for this.
To do this:
- Generate another GPG key using your another email address
- Add new email to your GitHub Account
- Add new GPG key to your GitHub Account
Now comes the tricky part, automatically determine which GPG key to use for signing commits.
I’ve found the following solution(not considering using the local .gitconfig
for each repository:
- Git allows to do Conditional includes
in your
.gitconfigbased on the git path or origin. - Each included file can override your
user.emailanduser.signingkeysettings.
For example:
[user]
; Use this email by default
email = [email protected]
name = Sergei Bulavintsev
signingkey = 7C43420F61CECAAA
[commit] gpgsign = true
; Override default settings if we are in the git_work folder
[includeIf "gitdir:~/git_work/"]
path = .gitconfig-work
; Override default settings if git origin contains my username
[includeIf "hasconfig:remote.*.url:*sbulav/*"]
path = .gitconfig-sbulav
And the included file .gitconfig_work might look like:
[user]
email = [email protected]
signingKey = A54F12F0D4D73FAA
For each GPG key you’ll have to enter corresponding password.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK