Git stash gpg prompting

Git stash gpg prompting

[Eddie Monge]

Git stash is prompting for passphrase to try to "sign" the changes
being stashed.

Reproduce:
Add to global gitconfig with signing key:
```
[commit]
  gpgsign = true
```
Go to a repo, make some changes, and then run `git stash`

Expected: stash the changes as normal
Actual: git prompts for passphrase (if set)

Re: Git stash gpg prompting

[Jeff King]

On Fri, May 30, 2014 at 01:07:16PM -0700, Eddie Monge wrote:

> Git stash is prompting for passphrase to try to "sign" the changes
> being stashed.
> 
> Reproduce:
> Add to global gitconfig with signing key:
> ```
> [commit]
>   gpgsign = true
> ```
> Go to a repo, make some changes, and then run `git stash`
> 
> Expected: stash the changes as normal
> Actual: git prompts for passphrase (if set)

Well, yeah...stash is making a commit (two, actually), so it wants you
to sign it. :)

I suspect that using "git notes" has a similar problem. I can see an
argument for not signing stashes, as they are meant to be temporary and
not shared. I do think notes probably should be signed.

However, I wonder if it is really ever going to be sane to set
commit.gpgsign and not use something like gpg-agent. For example, if you
were to ever "git rebase" a patch series (or even just use "git rebase
-i" to refactor commits), you would be prompted for your passphrase to
sign each individual patch.

-Peff

Re: Git stash gpg prompting

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> However, I wonder if it is really ever going to be sane to set
> commit.gpgsign and not use something like gpg-agent.
>
> For example, if you
> were to ever "git rebase" a patch series (or even just use "git rebase
> -i" to refactor commits), you would be prompted for your passphrase to
> sign each individual patch.

Correct.

I actually doubt it is sane to set commit.gpgsign to true and trust
gpg-agent, but that is a separate issue.