如何在像IntelliJ这样的IDE中对git commit进行签名? [英] How to sign git commits from within an IDE like IntelliJ?

问题描述

问题:如何在Windows上使用像IntelliJ这样的IDE来签署git commit?

Question How do I sign git commits using an IDE like IntelliJ on Windows?

如果您有兴趣，请阅读我在这里尝试的内容:

If you're interested, read what I tried here:

我主要关注Github的指南 .更改配置文件后，我确保不要忘记重新启动bash/IntelliJ.

I followed mainly Github's guide. I made sure to not forget to restart bash/IntelliJ after you changed config files.

1. 生成新的GPG密钥对
2. 将GPG密钥添加到我的GitHub帐户
3. 将已验证(通过GitHub)的电子邮件与我的GPG密钥，用于确保.gitconfig中的电子邮件相同.
4. 告诉Git我的GPG密钥
5. 与GPG签署提交并确认已通过验证在Github上.
6. 在同一页面上，我将提交设置为默认情况下使用git config --global commit.gpgsign true进行签名(我使用的是git 2.12).我进行了一次新提交，并确认它已由git verify-commit HEAD
签名.

7. 当我尝试在IntelliJ中提交时，得到gpg: cannot open tty 'no tty'，所以我发现

1. Generate a new GPG key pair
2. Add the GPG key to my GitHub account
3. Associate a verified (by GitHub) email with my GPG key where I made sure the email in my .gitconfig is the same.
4. Tell Git about my GPG key
5. Sign a commit with GPG and confirmed that it was Verfied on Github.
6. From that same page, I set commits to be signed by default with git config --global commit.gpgsign true (I'm using git 2.12). I made a new commit and verified it was signed with git verify-commit HEAD

7. When I try to commit in IntelliJ, I get gpg: cannot open tty 'no tty' so I found IntelliJ fails to commit changes when attempting to sign commit (GPG) and added no-tty to my C:\Users\username\.gnupg\gpg.conf file and restarted.

然后我得到错误gpg: Sorry, no terminal at all requested - can't get input，这似乎是合理的，因为我刚刚添加了与终端无关的选项.像 gpg一样:对不起，根本没有要求的终端-可以'没有得到输入说解决方案是删除no-tty，我希望这不适用于我的情况.

Then I get the error gpg: Sorry, no terminal at all requested - can't get input which seems reasonable because I just added the option that has something to do with no terminal. Like gpg: Sorry, no terminal at all requested - can't get input says the solution is to remove the no-tty which I hope doesn't apply to my case.

第一个问题的其他答案建议在gpg.conf文件中也添加use-agent，这会导致其他错误gpg: gpg-agent is not available in this session.等等，也许我需要设置gpg-agent.

Other answers in the first question suggested to add use-agent as well in the gpg.conf file, which results in the additional error gpg: gpg-agent is not available in this session. Ah wait, maybe I need to setup gpg-agent.

我能找到的Windows最佳指南是 Archlinux Wiki (是的，正确).它指定将生存时间添加到C:/Users/username/.gnupg/gpg-agent.conf中，因此我创建了该文件并按如下方式添加了default-cache-ttl 34560000和max-cache-ttl 34560000: https://superuser.com/questions/624343/keep-gnupg-凭据缓存的整个用户会话

The best guide for Windows that I could find was the Archlinux wiki (yeah, right). It specifies to add to C:/Users/username/.gnupg/gpg-agent.conf the time to live, so I create that file and add default-cache-ttl 34560000 and max-cache-ttl 34560000 as per https://superuser.com/questions/624343/keep-gnupg-credentials-cached-for-entire-user-session

现在让我们实际启动这个gpg-agent，

Now let's actually start this gpg-agent, https://superuser.com/questions/1153101/why-does-git-complain-that-no-gpg-agent-is-running made me check that indeed gpg-agent --version was much newer than gpg --version, so I would like to have gpg2 so I could run git config --global gpg.program gpg2.

但是我在命令行上没有gpg2.我分别安装了 Gpg4win (二进制版本，位于底部)，甚至还安装了Gnupg 2，但这并没有给我gpg2在命令行上，我注意到我必须将GNU文件夹放在我认为应该包含的程序文件(x86)中.使用where gpg时，我发现至少没有指向我刚刚下载的gpg，因为那显示了第二个.所以我用git config --global gpg.program 'C:\Program Files (x86)\GnuPG\bin\gpg.exe'

But I do not have gpg2 available on the command line. I installed Gpg4win (binary releases, at the bottom) and even Gnupg 2 separately but that didn't give me gpg2 on the command line, I noticed I had to folder GNU in my Program Files (x86) which I think I should have. With where gpg I found out it was at least not pointing to the gpg I just downloaded, because that one showed second. So I pointed git to the right one with git config --global gpg.program 'C:\Program Files (x86)\GnuPG\bin\gpg.exe'

现在我出现错误gpg: skipped "keyid": secret key not available. gpg中的解决方案:跳过"N":秘密密钥不可用是我刚刚所做的，所以这无济于事.然后我意识到我用其他gpg而不是这个gpg进行了所有设置.我做了alias gpg="'C:\Program Files (x86)\GnuPG\bin\gpg.exe'"，检查了gpg --version，然后又做了整个事情.实际上，我在.bash_profile中放置了别名行，因此不需要每次都运行它.

Now I have the error gpg: skipped "keyid": secret key not available. The solution in gpg: skipped "N": secret key not available is what I just did, so that doesn't help. Then I realised I set everything up with the other gpg, not with this one. I did alias gpg="'C:\Program Files (x86)\GnuPG\bin\gpg.exe'", checked gpg --version and did the whole thing again. Actually I put the alias line in my .bash_profile so I don't need to run it every time.

当我尝试gpg --gen-key时，它立即挂起.不知道为什么，我认为问题不是熵不够，因为较旧的gpg可以正常工作，但是较新的gpg可能需要更多的熵.无论如何，我都找不到Internet上有相同问题的Windows用户.

When I try gpg --gen-key it hangs immediately. No idea why, I don't think the problem is not enough entropy because the older gpg worked fine but it's possible that the newer version requires more entropy. In any case I couldn't find any windows user with the same problem on the Internet.

有效！当我提交I​​ntelliJ时，它只要求输入一次带pinentry的密码.但是现在我无法从Git Bash提交，出现no secret key错误是有道理的，因为正如我说的gpg --list-keys为空:没有密钥与此gpg关联.

It works! When I commit in IntelliJ, it asks for my passphrase with pinentry only once. But now I can't commit from Git Bash, with the no secret key error which makes sense because as I said gpg --list-keys is empty: no key is associated with this gpg.

Intellij IDEA与GPG签署GIT提交是相关，但唯一的答案是针对MAC，似乎不适用于Windows.它确实导致我:

Intellij IDEA signing GIT commits with GPG is relevant, but the only answer is for MAC and doesn't seem to apply to Windows. It did lead me to:

me.m01 .eu 提示添加一个名为GNUPGHOME的新环境变量，该变量指向C:\Users\username\.gnupg.该目录存在，但是如 git commit签名中的回答所述失败:密钥不可用我认为我的新gpg使用C:\Users\username\AppData\Roaming\gnupg，所以我添加了它.我用printenv GNUPGHOME检查是否已正确添加(必须重新启动).虽然没有任何改变.

me.m01.eu hints at adding a new environment variable called GNUPGHOME which points to C:\Users\username\.gnupg. That directory exists, but as mentioned in an answer from git commit signing failed: secret key not available I think my new gpg uses C:\Users\username\AppData\Roaming\gnupg so I added that instead. I checked with printenv GNUPGHOME that I added it correctly (I had to reboot). Didn't change anything though.

由于我的键是C:\Users\username\.gnupg，所以我尝试将环境变量指向该位置，但并没有帮助，gpg --list-keys仍然为空.因此，我不得不找到另一种方法来指出我的密钥所在的gpg.

Since my keys are I think in C:\Users\username\.gnupg I tried pointing the environment variable to there, but it didn't help, gpg --list-keys was still empty. So I had to find another way of pointing out to gpg where my keys are.

gpg --list-keys --homedir='C:/Users/s156757/.gnupg'确实提供了正确的密钥，因此我决定将homedir C:\Users\s156757\.gnupg添加到必须创建的C:\Users\username\AppData\Roaming\gnupg\gpg.conf文件中.由于此错误.我确认gpg --list-keys返回了我的密钥.仍然是相同的错误，向此conf文件添加no-tty和use-agent并没有帮助.

gpg --list-keys --homedir='C:/Users/s156757/.gnupg' did give the correct keys, so I decided to add homedir C:\Users\s156757\.gnupg to my C:\Users\username\AppData\Roaming\gnupg\gpg.conf file which I had to create. Because of this bug. I confirmed gpg --list-keys returned my keys. Still the same error, adding no-ttyand use-agent to this conf file didn't help.

我现在可以在IntelliJ中进行提交，但不再使用Git Bash提交，结果为skipped "keyid": No secret key.

更多想法

1. 我无法使用gpg --export [ID] | gpg2 --import && gpg --export-secret-keys [ID] | gpg2 --import
将密钥从gpg导出到gpg2
2. 我以为可以单独配置Gpg4win，所以我不需要每次都输入密码.不幸的是，我找不到任何方法可以使Gpg4win记住我的密码.
3. 后来我想，如果我没记错的话，gpg --list-secret-keys从未为gpg 2返回任何内容.我直到后来才发现该命令与gpg --list-keys不同.

1. I didn't manage to export keys from gpg to gpg2 with gpg --export [ID] | gpg2 --import && gpg --export-secret-keys [ID] | gpg2 --import
2. I thought Gpg4win alone maybe could be configured so I don't need to type my password every time. Unfortunately, I couldn't find anywhere a way to make Gpg4win remember my passphrase.
3. I later thought, if I remember correctly gpg --list-secret-keys has never returned anything for gpg 2. I only later found out that that command is different from gpg --list-keys.

简而言之，这是主要问题:gpg-agent允许密码短语缓存，但是git的gpg版本与gpg-agent版本不匹配，因此您必须自己先安装正确的gpg 2.但是我无法以可以同时从Git Bash和IntelliJ提交的方式进行安装.

In short this is the main problem: gpg-agent allows passphrase caching but the gpg version of git doesn't match the gpg-agent version so you have to install the right gpg 2 yourself first. But I didn't manage to do that installation in such a way that I could commit from both Git Bash and IntelliJ.

推荐答案

自git 2.19.1起，就支持gpg2！

gpg-agent现在可以处理自动签名，记住您的密码

这应该使使用gpg自动签署提交更加容易. 确切地说，git版本2.19.1至少具有gpg 2.2.9. 这些说明已在Windows 7，Windows 8.1，Windows 10，Arch Linux和Fedora 29上进行了测试.

Since git 2.19.1, gpg2 is supported!

gpg-agent can handle automatic signing now, remembering your passphrase

This should make it easier to use gpg to sign commits automatically. To be exact, git version 2.19.1 has at least gpg 2.2.9. These instructions were tested on Windows 7, Windows 8.1, Windows 10, Arch Linux and Fedora 29.

配置git commit签名的步骤

1. 建议您设置ssh，请参见例如 help.github.com/en/articles/connecting-to-github -with-ssh (同样在您不使用GitHub时)

2. (在Linux上)启动终端或在Windows上(在Windows上)启动git bash，使用git --version检查git至少为2.19.1，并使用gpg --version检查您正在使用gpg2.

1. It is recommended that you have set up ssh, see e.g. help.github.com/en/articles/connecting-to-github-with-ssh (also when you don't use GitHub)

2. Start (on Linux) a terminal or (on Windows) git bash, check with git --version that git is at least 2.19.1 and with gpg --version that you are using gpg2.

如果没有，请使用where gpg(如果where命令不可用，请使用which gpg)检查最上面的路径是git.

If not, check with where gpg (or which gpg if the where command is not available) that the top-most path is the git one.

• 如果看不到路径，或者没有任何路径具有gpg2，请尝试使用gpg2命令而不是gpg，因此请尝试gpg2 --version.如果可行，从现在开始，您必须使用gpg2而不是gpg.
• 如果看到的是git路径，但它不是顶级路径，请在Windows中将alias gpg="'C:\path\to\Git\usr\bin\gpg.exe'"放在C:\Users\username\.bash_profile中，如果该文件不存在，则创建该文件，然后重新启动git bash.再次尝试和gpg --version.从现在开始，在gpg键入文件的地方，应将其替换为'C:\path\to\Git\usr\bin\gpg.exe'.

• If you see no paths or not any one which has gpg2, try the gpg2 command instead of gpg, so gpg2 --version. If that works, you'll have to use gpg2 instead of gpg from now on.
• If you see a git path but it's not the top one, put (on Windows) alias gpg="'C:\path\to\Git\usr\bin\gpg.exe'" in your C:\Users\username\.bash_profile, create the file if it doesn't exist, and restart git bash. Try where gpg and gpg --version again. From now on, where gpg is typed into a file you should replace it with 'C:\path\to\Git\usr\bin\gpg.exe'.

检入gpg --version的输出，看主目录是否类似于(在Linux上)/home/username/.gnupg或(在Windows上)/c/Users/username/.gnupg.该目录还没有存在.

Check in the output of gpg --version if the home directory is something like (on Linux) /home/username/.gnupg or (on windows) /c/Users/username/.gnupg. This directory doesn't have to exist, yet.

如果路径不正确，请尝试更改它-例如，在Windows上一次，我看到我的家所在的位置是我运行命令的路径的前缀，因此我在.bash_profile中添加了alias gpg="gpg --homedir=/c/Users/s156757/.gnupg"的别名并重新启动bash，然后再次检查.

If the path is incorrect, try to change it - for example one time on Windows I saw my home was prefixed by the path in which I ran the command, so I put an alias in the .bash_profile with alias gpg="gpg --homedir=/c/Users/s156757/.gnupg" and restarted bash, then checked again.

• 选择RSA和RSA及4096位.
• 作为真实姓名，请像在~\.gitconfig中一样使用您的user.name.
• 作为电子邮件，请在您的~\.gitconfig中使用来自user.email的电子邮件，确保该电子邮件是GitHub上经过验证的电子邮件.
• 如果您想尝试使用gpg-agent(每次重新启动后必须至少提供一次密码)，或者如果您在GitHub上带有未验证"标志，可以提供一个密码.否则，将其留空.

• Select RSA and RSA and 4096 bits.
• As real name use your user.name as in your ~\.gitconfig.
• As email, use the email from user.email in your ~\.gitconfig, making sure that this email is a verified email on GitHub.
• If you want to try gpg-agent (you will have to provide your password at least once after each reboot) or if you are fine with an 'unverified' badge on GitHub, provide a password. Otherwise, leave it empty.

自动进行提交签名的步骤:三个选项

1.我的钥匙上没有密码

您完成了.

Steps to make the commit signing happen automatically: three options

1. I have no passphrase on my key

You're done.

对我来说，该选项不起作用:我仍然必须经常(尽管并非总是)提供密码短语.但从理论上讲，这是可行的:

For me this option didn't work: I still had to provide my passphrase often, though not always. But in theory this works:

1. 更新缓存时间，在C:\Users\username\.gnupg\gpg-agent.conf中:创建文件(如果不存在)，然后添加default-cache-ttl 34560000和max-cache-ttl 34560000.
2. 使用gpgconf --kill gpg-agent
重新启动gpg-agent
3. 现在，在提交时，您应该只输入一次密码，然后就不用了.检查您的提交是否在GitHub上为Verified.

1. Update the cache time, in C:\Users\username\.gnupg\gpg-agent.conf: create file if it doesn't exist, add default-cache-ttl 34560000 and max-cache-ttl 34560000.
2. Restart gpg-agent using gpgconf --kill gpg-agent
3. Now you should have to enter your passphrase once when committing and then not anymore. Check that your commit is Verified on GitHub.

3.将明文形式的密码短语传送到gpg

这意味着您不必提供密码，但对我来说，这意味着GitHub在我的提交中加上了Unverified徽章.在这里提问:

3. Pipe the passphrase in plaintext to gpg

This means that you never have to provide your passphrase, but for me this means that GitHub puts an Unverified badge on my commit. Question here: The key whose key-id is in the signature did not sign this commit

1. 如果已创建，请用以下代码替换C:\Users\username\start-gpg.sh的所有内容.如果不是这样，请创建包含以下内容的文件，删除--homedir标志并运行git config --global gpg.program C:\\Users\\username\\start-gpg.sh.无论如何，请重新启动bash.

1. If you created it already, replace all of the contents of C:\Users\username\start-gpg.sh with the code below. If you didn't, create the file with the contents below, remove the --homedir flag and run git config --global gpg.program C:\\Users\\username\\start-gpg.sh. In any case, restart bash.

是的，您将以明文形式在计算机上放置密码！如果您知道更好的方法，请发表评论...

Yes, you're going to place your password in plaintext on your computer! If you know a better way, please leave a comment...

# Passphrase-file-descriptor is set to 0 (STDIN), to use it --batch must be used
# The --pinentry-mode loopback is required since gpg 2.1.0 for --passphrase-fd
# The "$@" makes sure that whatever git wanted gpg to do, is still done
echo mypassphrase | gpg --homedir=/c/Users/username/.gnupg --passphrase-fd 0 --batch --yes --pinentry-mode loopback "$@"

1. 提交并推送并检查是否未要求您输入密码，并且在GitHub上您的提交仍为Verified.

没有gpg2的旧git版本的旧答案

作为参考，这里是完整的说明，或者更确切地说，是我为使其工作而执行的步骤. 工作"是指提交是自动签名的，但是有两个缺点:

Old answer for older git versions without gpg2

For the reference, here are the full instructions, or rather the steps I did to make it somewhat work. With 'work' I mean that commits are signed automatically, but there are two disadvantages:

• GitHub将它们识别为unverified: The key whose key-id is in the signature did not sign this commit. Someone may be trying to trick you. 有关此问题的后续问题是

• GitHub recognizes them as unverified: The key whose key-id is in the signature did not sign this commit. Someone may be trying to trick you. The follow-up question regarding this is The key whose key-id is in the signature did not sign this commit
• Creating a commit takes a much longer time, like five seconds instead of less than one.

如果遇到问题，请检查问题中的步骤以查看是否遇到相同的问题.

If you get stuck, check the steps in the question to see if I had the same problem.

1. 第一步来自良好的Github的指南:生成新的GPG密钥对
2. 将GPG密钥添加到您的GitHub帐户
3. 将已验证(通过GitHub)的电子邮件与您的GPG密钥，并确保您的.gitconfig中的名称和电子邮件相同.
4. 告诉Git您的GPG密钥
5. 与GPG签署提交并确认已通过验证在Github上，当您查看自己的提交时，应该会看到一个小徽章.

6. 设置提交默认情况下使用git config --global commit.gpgsign true进行签名.进行新的提交，并验证是否已使用git verify-commit HEAD签名.

1. First few steps are from the good Github's guide: Generate a new GPG key pair
2. Add the GPG key to your GitHub account
3. Associate a verified (by GitHub) email with your GPG key and make sure the name and email in your .gitconfig are the same.
4. Tell Git about your GPG key
5. Sign a commit with GPG and confirm that it is Verified on Github, you should see a little badge when you view your commit.

6. Set commits to be signed by default with git config --global commit.gpgsign true. Make a new commit and verify if it was signed with git verify-commit HEAD.

git随附的gpg版本太旧，因此请安装 Gpg4win (二进制发行版，在底部)应该安装gpg2.使用where gpg，您应该看到两条路径，其中第二条可能是您的新gpg，类似于C:\Program Files (x86)\GnuPG\bin\gpg.exe.如果不是，请尝试与下载页面分开安装Gnupg 2.

The gpg version that comes with git is too old, so install Gpg4win (binary releases, at the bottom) which should install gpg 2. With where gpg you should see two path, of which probably the second is your new gpg, something like C:\Program Files (x86)\GnuPG\bin\gpg.exe. If not, try to install Gnupg 2 separately from the downloads page.

我放置了alias gpg="'C:\Program Files (x86)\GnuPG\bin\gpg.exe'"来将gpg命令指向我的C:\Users\username\.bash_profile中的新gpg，重新启动Git Bash并使用gpg --version检查我现在是否正在使用gpg 2.

I put alias gpg="'C:\Program Files (x86)\GnuPG\bin\gpg.exe'" to point the gpg command to my new gpg in my C:\Users\username\.bash_profile, restart Git Bash and check with gpg --version that I'm now using gpg 2.

添加一个名为GNUPGHOME的新环境变量，该变量指向C:\Users\username\.gnupg.重新引导并使用printenv GNUPGHOME检查是否正确添加了它.

Add a new environment variable called GNUPGHOME which points to C:\Users\username\.gnupg. Reboot and check with printenv GNUPGHOME that you added it correctly.

制作脚本C:\Users\username\gpg-no-tty.sh并将其放入echo passphrase | "C:\Program Files (x86)\GnuPG\bin\gpg.exe" --passphrase-fd 0 --batch --no-tty --yes "$@"

将密码短语放在此处为纯文本的原因是，要使其全部正常工作的--batch选项需要输入密码短语.在我看来，似乎应该有一个比将通行密码以明文形式保存在计算机上更好的解决方案，因此，如果发现更好的内容，请发表评论.

The reason you are putting your passphrase in plaintext here is because the --batch option, which makes it all work, needs the passphrase fed. To me it seems like there should exist a better solution than saving your passphrase in plaintext on your computer, so please leave a comment if you found something better.

使用git config --global gpg.program C:\\Users\\username\\gpg-no-tty.sh将git指向此脚本.

Point git to this script with git config --global gpg.program C:\\Users\\username\\gpg-no-tty.sh.

现在在Git Bash和IntelliJ中测试您可以提交的内容，并通过执行git verify-commit HEAD来验证其是否有效.

Now test both in Git Bash and IntelliJ that you can commit, and verify that it worked by doing git verify-commit HEAD.

这篇关于如何在像IntelliJ这样的IDE中对git commit进行签名?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！