Hello!
I build a complex project "Monorepo" in an environment that mandates
code signing and monorepository philosophy. In my project I built
several multi-purpose libraries. I track changes to those libraries in
a separate (local) repository, and use git subtree to merge them with
the Monorepo.
Git does not have an option to sign the synthetic commits it generates
when merging and pulling (and does ignore a policy `commit.gpgsign =
true` in `.git/config` present in all repositories that are involved).
It is not that bad in `git subtree pull`, because I can do `git commit
--amend -S --no-edit` on the last commit in the Monorepo, if I find
that the `git subtree pull` added a new commit.
The problem is with `git subtree push`, because it can add more than
one commit on a single invocation, forcing me to edit the history.
Do you confirm this is an inconvenience bug (not a bug in the sense
that I get the repository corrupted)?
I use git 2.38.1 on Ubuntu 20.04 64 bit
Steps to reproduce:
1. In the empty directory, in my example `/home/adam/gitbug`, create
the Monorepo:
```
git init monorepo
```
2. Modify the `monorepo/.git/config` and add user's signing key and
`commit.gpgsign=true`
```
[user]
signingkey = 1234561234567890
email = adam@xxxxxxxxxxxxxx
[commit]
gpgsign = true
```
3. Add a first commit and verify it gets signed.
```
cd monorepo
git commit -m "Initial commit" --allow-empty
git log --show-signature
cd ..
```
4. Create a feature library "lib1":
```
git init lib1
```
5. Modify the `lib1/.git/config` in a similar way as in Monorepo (step
2) and add `receive.denyCurrentBranch=
updateInstead`
```
[user]
signingkey = 1234561234567890
email = adam@xxxxxxxxxxxxxx
[commit]
gpgsign = true
[receive]
denyCurrentBranch = updateInstead
```
6. Add a first commit to lib1. Verify it is signed.
```
cd lib1
touch library_code.py
git add library_code.py
git commit -m "Initial commit in lib1"
git log --show-signature
cd ..
```
7. Add lib1 as a subtree repository for Monorepo. Bug #1: The
signature of the subtree split commit IS NOT signed in the Monorepo.
```
cd monorepo
git remote add lib1 "/home/adam/gitbug/lib1"
git subtree add --prefix lib/lib1 lib1 master
git log --show-signature
Merge: 6f06087 cef349f
Author: Adam Ryczkowski <adam@xxxxxxxxxxxxxx>
Date: Thu Oct 20 09:35:27 2022 +0200
Add 'lib/lib1/' from commit 'cef349f0c89b7a506a5558750310d4cb3dc1f307'
git-subtree-dir: lib/lib1
git-subtree-mainline: 6f06087ac3d45d18d0651717388906902d6fa74b
git-subtree-split: cef349f0c89b7a506a5558750310d4cb3dc1f307
```
8. Sign the signature with git amend, and verify all the commits are signed:
```
git commit -S --amend --no-edit
git log --show-signature
cd ..
```
9. Make a commit in lib1 and verify all the commits are signed:
```
cd lib1
echo "First line of code" >> library_code.py
git commit -S -am "Adds first line of code"
git log --show-signature
cd ..
```
10. Pull the changes in the lib1 to the Monorepo and verify all the
commits are signed:
```
cd monorepo
git subtree pull --prefix=lib/lib1 lib1 master
git log --show-signature
```
11. Modify the lib1 from inside the Monorepo and push the changes to
the subtree repository:
```
echo "Another line of code" >> lib/lib1/library_code.py
git commit -S -am "Adds another line of code"
git log --show-signature
git subtree push --prefix=lib/lib1 lib1 master
cd ..
```
12. Bug #2: In the lib1 the added commit "Adds another line of code"
added by the `git subtree push` IS NOT signed:
```
cd lib1
git log --show-signature
```
13. We need to walk around this bug otherwise the `git subtree pull`
will merge UNSIGNED commits.
```
git commit -S --amend --no-edit
git log --show-signature
cd ..
```
14. Go back to the lib1 and subtre pull the last subtree push we did,
otherwise our subsequent subtree push would end with `error: failed to
push some refs to '/home/adam/tmp/gitbug/lib1`. If we hadn't manually
signed the last commit in lib1, this would pull that unsigned commit
and cover it with ANOTHER unsigned commit caused by git subtree pull.
```
cd monorepo
git subtree pull --prefix=lib/lib1 lib1 master
git log --show-signature
```
15. Make a _second_ push to the lib1.
```
echo "Third line of code" >> lib/lib1/library_code.py
git commit -S -am "Adds third line of code"
git log --show-signature # All is signed as expected
git subtree push --prefix=lib/lib1 lib1 master
cd ..
```
16. Go to the lib1 and see a total mayhem: Three unsigned commits:
```
cd lib1
git log --show-signature
```
First two commits and a commit `2de16` are unsigned... The only way of
fixing it is to do rewrite the history:
```
commit b3c5429d2b3f7f4a3643bd577d1c4fd458238a22
Author: Adam Ryczkowski <adam@xxxxxxxxxxxxxx>
Date: Thu Oct 20 12:43:18 2022 +0200
Adds third line of code
commit 53f1d874c542731b7fbb928877034332b57cc6e9
Merge: 2de16ea d80a03e
Author: Adam Ryczkowski <adam@xxxxxxxxxxxxxx>
Date: Thu Oct 20 12:42:51 2022 +0200
Merge commit 'd80a03ef0c1a82e29d94d89c8d7bd1d3f40e8691'
commit d80a03ef0c1a82e29d94d89c8d7bd1d3f40e8691
Primary key fingerprint: C076 B904 25BB FE0B 2718 697B 519B A799 293A 0D76
Author: Adam Ryczkowski <adam@xxxxxxxxxxxxxx>
Date: Thu Oct 20 12:42:14 2022 +0200
Adds another line of code
commit 2de16ead1752dc661904099c34f6b09f495faa94
Author: Adam Ryczkowski <adam@xxxxxxxxxxxxxx>
Date: Thu Oct 20 12:42:14 2022 +0200
Adds another line of code
commit 3d80e8b60eb65378e78fc1bf88e5eed2da703dab
Primary key fingerprint: C076 B904 25BB FE0B 2718 697B 519B A799 293A 0D76
Author: Adam Ryczkowski <adam@xxxxxxxxxxxxxx>
Date: Thu Oct 20 12:42:00 2022 +0200
Adds first line of code
commit cef349f0c89b7a506a5558750310d4cb3dc1f307
Primary key fingerprint: C076 B904 25BB FE0B 2718 697B 519B A799 293A 0D76
Author: Adam Ryczkowski <adam@xxxxxxxxxxxxxx>
Date: Thu Oct 20 09:34:57 2022 +0200
Initial commit in lib1
```
Adam Ryczkowski
