2

For analytics purposes, I'd like to run the following command and see which commits have been signed within a rather big repository:

git log --pretty="%h %G?"

As per Git docs, the %G? placeholder can return:

  • G for a good (valid) signature
  • B for a bad signature
  • U for a good signature with unknown validity
  • X for a good signature that has expired
  • Y for a good signature made by an expired key
  • R for a good signature made by a revoked key
  • E if the signature cannot be checked (e.g. missing key)
  • N for no signature

The expected result is to get a G status for every commit that is shown as Verified in GitHub. However, I am getting mostly E statuses.

git verify-commit commit-sha on a commit with E status outputs:

gpg: Signature made Wed  17 June 13:19:22 2020 EEST
gpg:                using RSA key C90455E28OCA2B4DAD319037E77216ECEABAF951
gpg: Can't check signature: No public key

I've done the following gpg setup:

git config --global gpg.program $(which gpg)
curl https://github.com/web-flow.gpg | gpg --import
gpg --edit-key noreply@github.com (where I put `trust` and gave 6 - ultimate)
gpg --lsign-key noreply@github.com

It seems that the only commits I get with git log having status G are the ones done via the UI of GitHub, as its key is successfully inserted in gpg.

Should I crawl and get all public keys for all contributors in the repo (by using e.g. their emails) and then insert them in gpg? Actually, what is the easiest way to see the signatures of ALL commits as they are shown in GitHub, locally?

katericata
  • 1,008
  • 3
  • 14
  • 33

1 Answers1

0

Should I crawl and get all public keys for all contributors in the repo (by using e.g. their emails) and then insert them in gpg?

Yes. gpg --recv-keys email1 email2… You can the list of emails from the repository:

git log --all --format="%ae" | sort -u
git log --all --format="%ce" | sort -u

(Author and committer emails). Let's combine this in a few commands:

all_emails=$({ git log --all --format="%ae"; git log --all --format="%ce"; } | sort -u)
gpg --recv-keys $all_emails
phd
  • 82,685
  • 13
  • 120
  • 165
  • I get `gpg: "the.user.email@example.com" not a key ID: skipping` for every provided email to `gpg --recv-keys`. – katericata Jun 22 '20 at 13:55
  • Do you have a key server configured for GnuPG? Are you sure those keys are published and not directly uploaded to GitHub? In the latter case you probably cannot collect the keys and verify commits outside of GH. – phd Jun 22 '20 at 13:56
  • Unfortunately we do not have a configured key server, so the public keys are not published anywhere. This is probably the showstopper for us then. Anyways, thanks for your help, much appreciated! – katericata Jun 23 '20 at 12:34