I'm trying to clean up the commit history of a git repository by
removing
certain files. The repository contains signed commits, and when I try
to use
git filter-branch, the PGP signature is converted to the first line
of the
commit message.
It should be possible to craft a filter that removes the signatures
entirely. It is not possible to craft a filter-branch which retains
the signatures in any *valid* form, though you could re-create new
signatures assuming you have all the private keys (ie: you're the one
who signed all the commits).
You can't keep the signatures alone, because then they wouldn't be
valid, since the data they signed is not the same now. Normally
signatures are used so that you can verify "yes, so-and-so is the
person who did this thing and no one else could have faked it).
Ah, okay, that makes sense.
Is this the expected behavior? If so, is there something that I can
do to
prevent this from happening?
I'm not sure why it's putting the first line at the top of the commit.
I'm using git v. 2.4.6. I tried reducing the behavior to a simple
case. I
asked about this on Stack Overflow
(http://stackoverflow.com/q/31552774/2571049), but the question
hasn't
really gotten any uptake, so I thought I would try asking here too.
In trying to reproduce the behavior in a minimal way, I did the
following:
mkdir pgp-git-test
cd pgp-git-test
git init
touch a.txt
git add a.txt
git commit -m "Add a.txt" -S
touch b.txt
git add b.txt
git commit -m "Add b.txt" -S
git filter-branch --index-filter 'git rm --cached --ignore-unmatch
a.txt'
--prune-empty HEAD
git log --oneline --decorate
b4efdf0 (HEAD -> master) iQIcBAABCgAGBQJVrvqHAAoJ [...] -----END PGP
SIGNATURE-----
9f82e63 iQIcBAABCgAGBQJVrvp7AAoJ [...] -----END PGP SIGNATURE-----
As can be seen after running git log --oneline --decorate, the PGP
signature
has become the first line of the commit. The rest of the commit
message is
still there, but it's on a line below the PGP signature.
How can I prevent this from happening when using git filter-branch?
You probably need to run all the commits through a filter first which
strips out all signature info, and then re-write the commits to remove
the file. You can't leave the signatures in there alone, as they would
no longer be valid, and people who try to verify them would fail.
Do you know of a good way to do this? I'm pretty new to git, and I
haven't had much luck searching online or looking through the
documentation for ideas of how to even filter out the PGP signatures
before filtering out a certain file from the commit history.
If you could even point me in the right direction, I would really
appreciate it. Do you think there is a way to do this all automatically,
so that it would be possible to keep track of which commits have had
their signatures removed and then resign them after filtering out the
file (I am the one who signed the commits originally), or would that be
impossible since the SHA-1 hashes of the commits will change?
Also, one thing that I was a bit surprised about when trying to
create this
minimal example is that the first commit is still there. Does anyone
know
why the commit history still contains the first commit, since the
first
commit only involved the file a.txt and since I passed --prune-empty
to git
filter-branch? Shouldn't this commit have been eliminated from the
log?
I'm not sure about this part, sorry.
No worries. Thanks for your help and your initial response. I appreciate
it!
Thanks in advance for the help! I'm relatively new to git, so
apologies for
bugging you all if this is a trivial error on my part. Thanks!
Best,
Adam Liter
Regards,
Jake
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html