0

I didn't know about commit signing before, so I have a repo with a few thousand commits that I would like to sign.

This question about signing previous commits has several answers, but they change the date/time of the commit, which I would like to keep.

I understand that to sign all commits, I have to rewrite the commit history, so the commit hashes will change; that is fine. But I hope there is a way to do it without changing the date/time of each commit-- after all, I just want to sign the commits and not make any other changes.

This answer on a different question shows a way to update the date of all commits but it doesn't sign them. And this answer to the originally linked question describes a way to preserve the commit date, which is what I want, but when I run the code

git rebase --committer-date-is-author-date -i --root

I get the error:

fatal: cannot combine am options with either interactive or merge options

This repository is on GitHub and has a simple structure with only two branches (main/dev) and a few thousand commits. How can I automatically sign all the commits while preserving the commit dates/times?

Patrick Kenny
  • 4,515
  • 7
  • 47
  • 76
  • 4
    Note that Git is working as intended. The commit time is supposed to track when the commit was made. The ***author time*** remains the same. Commit times will change, don't fight it. Use `git log --pretty=fuller` to see both. See [Difference between author and committer in Git?](https://stackoverflow.com/questions/18750808/difference-between-author-and-committer-in-git) – Schwern Jan 15 '22 at 03:42
  • 2
    Or just sign your latest commit. It effectively signs off the history to that point in time. – jessehouwing Jan 15 '22 at 10:50
  • You *could* write yourself some code (and/or steal the old filter-branch shell script code) to do this while setting `GIT_AUTHOR_DATE` and `GIT_COMMITTER_DATE` for each commit. I wouldn't bother though: as @jessehouwing says, signing the latest commit (or a tag for it) is effective. If you're in a super-high-security environment they might not accept this due to SHA-1 weakness, but if you're in that kind of environment they wouldn't look kindly on rewriting past commits either. – torek Jan 15 '22 at 14:57
  • Possible duplicate of https://superuser.com/questions/397149/can-you-gpg-sign-old-commits, but it is not recommended https://superuser.com/questions/1144817/is-it-a-good-idea-to-gpg-sign-old-git-commits – Michael Freidgeim May 05 '22 at 21:04

0 Answers0