I like having machine-specific config in ~/.config/git, I think I'll do that. I didn't realize you could forward gpg-agent over a connection, I may look further into that.
Thanks for the help! Joshua Nelson On Sunday, March 11, 2018 17:21:42 EDT brian m. carlson wrote: > On Sat, Mar 10, 2018 at 03:28:43PM +0000, NELSON, JOSHUA Y wrote: > > Currently, `commit.gpgsign` allows you to give either 'true' or 'false' as > > a value. If the key is not present, commits will fail: > > > > ```sh > > $ git commit -m "example" > > error: gpg failed to sign the data > > fatal: failed to write commit object > > ``` > > > > I like to reuse my config file across several machines, some of which do > > not have my GPG key. Would it be possible to add an option to sign the > > commit only if the private key for `user.signingkey` is present? It could > > be named something like `commit.gpgsign=default-yes`. > Unfortunately, this isn't always possible. You can forward the Unix > socket for the agent over an SSH connection, at which point the remote > machine has the ability to sign, but the gpg client doesn't list those > as existing secret keys in its output (because technically, those keys > don't exist on the remote system). I use this technique at work, for > example, to sign things on my development VM. > > It might be possible to make the failure of the signing operation not be > fatal in this case, although that could cause people to fail to sign due > to transient failures even when the key is present on the system. > > I usually handle this by storing my main configuration in ~/.gitconfig > and on machines where I have a key, additionally having a > ~/.config/git/config file that contains the commit.gpgsign entry. > -- > brian m. carlson / brian with sandals: Houston, Texas, US > https://www.crustytoothpaste.net/~bmc | My opinion only > OpenPGP: https://keybase.io/bk2204
signature.asc
Description: This is a digitally signed message part.