How to sign previous commits that have already been pushed to remote repo.

Introduction:
I encountered a challenge while trying to merge my branch into the master branch. The obstacle arose from unsigned commits, which prevented the merge process. After some effort, I successfully signed all the previous commits that had been pushed. Recognizing the value of this experience, I decided to create a guideline that others can follow when facing the same issue.

Background: What is Commit Signing?
Commit signing involves using a GPG (GNU Privacy Guard) key to locally sign tags and commits. These signed tags or commits are then marked as verified on GitHub. This verification process instills confidence in others, assuring them that the changes indeed originate from a trustworthy source.

Generating New GPG key:
Download and install GPG command line tool.

gpg --full-generate-key

Use this command to list the long form of the GPG keys for which you have both a public and private key. A private key is required for signing commits or tags.

gpg --list-secret-keys --keyid-format=long

From the list of GPG keys, copy the long form of the GPG key ID you’d like to use. In this example, the GPG key ID is 3AA5C34371567BD2

$ gpg --list-secret-keys --keyid-format=long
/Users/aamirshehzad/.gnupg/secring.gpg
------------------------------------
sec   4096R/3AA5C34371567BD2 2023-08-06 [expires: 2023-09-10]
uid                          aamirshehzad <aamirshehzad@example.com>
ssb   4096R/4BB6D45482678BE3 2023-08-06

gpg --armor --export 3AA5C34371567BD2

Use above command then copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK----- . Add this GPG key to your Github.

You need a GPG key that matches your committer identity and your verified email address associated with your account on GitHub.com, then you can begin signing commits and signing tags.

Add GPG key to your .gitconfig using below commands.

git config --global user.signingkey 3AA5C34371567BD2
git config --global commit.gpgsign true
[ -f ~/.bashrc ] && echo -e '\nexport GPG_TTY=\$(tty)' >> ~/.bashrc

Now you are all set to add sign commits to your github repositories. Lets discuss how we can sign all commits, even the commits which were pushed beforehand.

1. Use git log --show-signature to see which commits need to be signed.
2. Go into interactive rebase mode using git rebase -i HEAD~X where X is the number of commits up to the most current commit you would like to see, Let say we want to sign last 5 commits, X would be 5, git rebase -i HEAD~5
3. You will see a list of the commits in a text file. On the line after each commit you need to sign, add exec git commit --amend --no-edit -s with the lowercase -s adding a text signature in the commit body. Example that signs few commits

pick 12345 commit message
exec git commit --amend --no-edit -s
pick 67890 commit message
exec git commit --amend --no-edit -s
pick 54564 commit message
exec git commit --amend --no-edit -s

save and closed the file, all commits would be signed.

Now your last 5 commits are signed you can push them using force flag. You will see your commits verified on github.

git push --force

Thanks!