default gpg signing key

default gpg signing key

[Marco Sirabella]

[-- Attachment #1: Type: text/markdown, Size: 414 bytes --]

Hi all,

When signing a commit with git, the newer of two signing keys under my main
master key is used. This is even the case when `default-key` is set in
`gpg.conf` (`gpg --sign` uses the correct key).

Is there any way to tell git to not use the `--local-user` flag when signing,
and just let `gpg` decide which key to sign with? Or is `gpg.signingKey` in the
config the way to go?

Thanks,

-- Marco Sirabella

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: default gpg signing key

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1118 bytes --]

On Mon, Feb 18, 2019 at 03:12:32PM -0500, Marco Sirabella wrote:
> Hi all,
> 
> When signing a commit with git, the newer of two signing keys under my main
> master key is used. This is even the case when `default-key` is set in
> `gpg.conf` (`gpg --sign` uses the correct key).
> 
> Is there any way to tell git to not use the `--local-user` flag when signing,
> and just let `gpg` decide which key to sign with? Or is `gpg.signingKey` in the
> config the way to go?

I typically use user.signingKey for this purpose. The benefit of using
local-user by default is that we serialize the email address in the
signature as the signer, which is valuable when a person has multiple
email addresses on their key.

We do have this functionality in the author and committer fields, but
embedding it in the signature ensures that the signature can't be
verified without it.

Also, without specifying -u, we'd pick whatever key was the default in
the keyring, even if the email address for that key was wrong for the
commit.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 868 bytes --]