As many CI/CD tools don't allow to control command line options when executing `git tag` command, a default value in the configuration file will allow to enforce tag signing if required. The new config-file option tag.gpgSign enforces signed tags. Additional command line option --no-sign is added to disable such behavior if needed. E.g.: $ git tag -m "commit message" will generate a GPG signed tag if tag.gpgSign option is true, while $ git tag --no-sign -m "commit message" will skip the signing step. The combination of -u <key-id> and --no-sign not allowed. Signed-off-by: Tigran Mkrtchyan <tigran.mkrtchyan@xxxxxxx> --- Documentation/config/tag.txt | 7 +++++++ Documentation/git-tag.txt | 7 +++++++ builtin/tag.c | 23 ++++++++++++++++++----- t/t7004-tag.sh | 21 +++++++++++++++++++++ 4 files changed, 53 insertions(+), 5 deletions(-) diff --git a/Documentation/config/tag.txt b/Documentation/config/tag.txt index 663663bdec..675483c3c3 100644 --- a/Documentation/config/tag.txt +++ b/Documentation/config/tag.txt @@ -8,6 +8,13 @@ tag.sort:: linkgit:git-tag[1]. Without the "--sort=<value>" option provided, the value of this variable will be used as the default. +tag.gpgsign:: + A boolean to specify whether all tags should be GPG signed. + Use of this option when running in an automated script can + result in a large number of tags being signed. It is therefore + convenient to use an agent to avoid typing your gpg passphrase + several times. + tar.umask:: This variable can be used to restrict the permission bits of tar archive entries. The default is 0002, which turns off the diff --git a/Documentation/git-tag.txt b/Documentation/git-tag.txt index a74e7b926d..2e5599a67f 100644 --- a/Documentation/git-tag.txt +++ b/Documentation/git-tag.txt @@ -64,6 +64,13 @@ OPTIONS -s:: --sign:: Make a GPG-signed tag, using the default e-mail address's key. + The default behavior of tag GPG-signing is controlled by `tag.gpgSign` + configuration variable if it exists, or disabled oder otherwise. + See linkgit:git-config[1]. + +--no-sign:: + Override `tag.gpgSign` configuration variable that is + set to force each and every tag to be signed. -u <keyid>:: --local-user=<keyid>:: diff --git a/builtin/tag.c b/builtin/tag.c index ef37dccf86..ec5fd1dcc0 100644 --- a/builtin/tag.c +++ b/builtin/tag.c @@ -33,6 +33,7 @@ static const char * const git_tag_usage[] = { static unsigned int colopts; static int force_sign_annotate; +static int config_sign_tag = -1; /* unspecified */ static int list_tags(struct ref_filter *filter, struct ref_sorting *sorting, struct ref_format *format) @@ -144,6 +145,11 @@ static int git_tag_config(const char *var, const char *value, void *cb) int status; struct ref_sorting **sorting_tail = (struct ref_sorting **)cb; + if (!strcmp(var, "tag.gpgsign")) { + config_sign_tag = git_config_bool(var, value); + return 0; + } + if (!strcmp(var, "tag.sort")) { if (!value) return config_error_nonbool(var); @@ -442,14 +448,12 @@ int cmd_tag(int argc, const char **argv, const char *prefix) memset(&opt, 0, sizeof(opt)); memset(&filter, 0, sizeof(filter)); filter.lines = -1; + opt.sign = -1; argc = parse_options(argc, argv, prefix, options, git_tag_usage, 0); - if (keyid) { - opt.sign = 1; - set_signing_key(keyid); - } - create_tag_object = (opt.sign || annotate || msg.given || msgfile); + if (keyid && !opt.sign) + die(_("user key can't be specified with --no-sign option")); if (!cmdmode) { if (argc == 0) @@ -463,6 +467,15 @@ int cmd_tag(int argc, const char **argv, const char *prefix) if (cmdmode == 'l') setup_auto_pager("tag", 1); + if (opt.sign == -1) + opt.sign = cmdmode ? 0 : config_sign_tag > 0; + + if (keyid) { + opt.sign = 1; + set_signing_key(keyid); + } + create_tag_object = (opt.sign || annotate || msg.given || msgfile); + if ((create_tag_object || force) && (cmdmode != 0)) usage_with_options(git_tag_usage, options); diff --git a/t/t7004-tag.sh b/t/t7004-tag.sh index 6aeeb279a0..80eb13d94e 100755 --- a/t/t7004-tag.sh +++ b/t/t7004-tag.sh @@ -932,6 +932,27 @@ test_expect_success GPG \ test_cmp expect actual ' +get_tag_header gpgsign-enabled $commit commit $time >expect +echo "A message" >>expect +echo '-----BEGIN PGP SIGNATURE-----' >>expect +test_expect_success GPG \ + 'git tag configured tag.gpgsign enables GPG sign' \ + 'test_config tag.gpgsign true && + git tag -m "A message" gpgsign-enabled && + get_tag_msg gpgsign-enabled>actual && + test_cmp expect actual +' + +get_tag_header no-sign $commit commit $time >expect +echo "A message" >>expect +test_expect_success GPG \ + 'git tag --no-sign configured tag.gpgsign skip GPG sign' \ + 'test_config tag.gpgsign true && + git tag -a --no-sign -m "A message" no-sign && + get_tag_msg no-sign>actual && + test_cmp expect actual +' + test_expect_success GPG \ 'trying to create a signed tag with non-existing -F file should fail' ' ! test -f nonexistingfile && -- 2.22.0.rc3.1.gdcc2db3530.dirty