How to gpg sign a commit?

[afzal273]

Hello,

I'm using

index=repo.index
index.add(filename)
index.commit(commit_message)

But my commits don't have my gpg signature. How can I make a commit that is signed with the gpg signature? This is important for me to make automated signed commits, that can be pushed to the remote as the remote is set up to only accept signed commits.

Thanks for your help.

[Natim]

Did you try to change your .git/config to add

[commit]
gpgsign = true

[Byron]

The low-level plumbing that GitPython provides does not support signing commits.
However, in these cases you can and probably should resort to using the git command directly, such as in repo.git.commit(<options to enforce a gpg-signature>).

Even though I am closing the issue, please feel free to add comments below.

[ankostis]

But would git's commit-cmd work with an Index prepared with GitPython?

[Byron]

Yes, provided you enforce the index to be written beforehand.

[josecelano]

I'm working on an example: https://github.com/josecelano/pygithub/pull/7/files#diff-6c2fa7bad72634a6226515e4345a04787a80b47fe56c5796993d902c4f279584
It's not finished yet, I have to find out how to inject the key using docker. I suppose I do not need it if I run the Python program in the same environment where I have the GPG key configured.

[Byron]

Indeed, the example seems to be suitable for that. The index is altered within GitPython, but the commit itself is created using repo.git.commit(…) which will pickup gpg related configuration that is also altered in the example.

Git just calls the gpg binary, I believe, so as long as gpg is configured it will pick up the configured keys and sign successfully.

[josecelano]

I continue working on the example. I managed to sign it but not totally automatically. I can import the gpg key but gpg prompts for the passphrase when I try to commit with git. I ant to inject the passphrase to sign automatically, but I have not found out how yet.

More details: nautilus-cyberneering/pygithub#7 (comment)

[Byron]

Great work! It seems like this pushed the problem into the realm of GPG and how to configure a passphrase without user input.

[josecelano]

I've found the problem. I was using the keygrip of a subkey. That's why the passphrase preset did not work. I'm going to clean the example and write a full explanation. I want to extract the key import/config to its own function so that other people can use it directly. Although from the GitPython point of view all you need to do is:

... (add files to the index)
index.write()
repo.git.commit('-S', f'--gpg-sign={signingkey}', '-m', '"my commit message"',  author='"A committer <committer@example.com>"')

[josecelano]

I have finished an example:

https://github.com/josecelano/pygithub/blob/main/src/03_sign_commit_using_the_gitpython_package.py

with a full explanation:

https://github.com/josecelano/pygithub/blob/main/docs/how_to_sign_commits_using_the_gitpython_package.md