{"id":48304918,"url":"https://github.com/mazen160/git-sign","last_synced_at":"2026-04-04T23:59:41.975Z","repository":{"id":340286715,"uuid":"1165351938","full_name":"mazen160/git-sign","owner":"mazen160","description":"Squash \u0026 sign commits and PRs made by AI Agents","archived":false,"fork":false,"pushed_at":"2026-02-25T00:56:10.000Z","size":27,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-04T23:59:41.319Z","etag":null,"topics":["agentic","git","git-sign","git-signing","github","github-config","gitlab"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mazen160.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-24T04:33:45.000Z","updated_at":"2026-02-25T00:28:23.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mazen160/git-sign","commit_stats":null,"previous_names":["mazen160/git-sign"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mazen160/git-sign","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mazen160%2Fgit-sign","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mazen160%2Fgit-sign/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mazen160%2Fgit-sign/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mazen160%2Fgit-sign/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mazen160","download_url":"https://codeload.github.com/mazen160/git-sign/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mazen160%2Fgit-sign/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31419548,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T20:09:54.854Z","status":"ssl_error","status_checked_at":"2026-04-04T20:09:44.350Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agentic","git","git-sign","git-signing","github","github-config","gitlab"],"created_at":"2026-04-04T23:59:40.477Z","updated_at":"2026-04-04T23:59:41.966Z","avatar_url":"https://github.com/mazen160.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# git-sign\n\n## Enforce Commit Signing for AI Agents\n\nRe-sign commits on a branch with your GPG or SSH key. Built for stamping PRs created by AI coding agents.\n\n---\n\n# Why?\n\nAI coding agents, including Claude, Cursor, ChatGPT Codex, Gemini, Github Copilot do not support signing git commits as of today (Feb 23, 2026). When AI Agents create pull requests, every commit shows up as \"Unverified\", and there is no way to supply a GPG or SSH key to sign the agent's PR. If you are trying to ensure commit signing on your organization without affecting developer experience, you'll hit a blocker.\n\n**git-sign** fixes this. Point it at a PR and it squashes the commits into a single signed commit:\n\nIt works with GPG and SSH signing. Whatever you have configured in `git config`, git-sign uses it.\n\n---\n\n# Features\n\n- Squashes all branch commits into a single signed commit.\n- Auto-detects the base branch from the remote HEAD.\n- Refuses to run on main/master to prevent accidental history rewrites.\n- Opens your editor for the commit message, or pass `-m` to set it inline.\n- `--dry-run` to preview what would happen.\n- `--force-push` to push after signing without a separate command.\n- `--yes` to skip the confirmation prompt (useful in scripts).\n- `--base` to specify a custom base branch.\n- `--pr` to sign a GitHub PR by number or URL without cloning manually (requires `gh` CLI).\n- `--merge` to merge the PR after signing (used with `--pr`).\n- No dependencies beyond Python 3.7+ and git (`gh` CLI required only for `--pr`).\n\n---\n\n# Installation\n\nFrom PyPI:\n```shell\npip install git-sign\n```\n\nFrom source:\n```shell\ngit clone https://github.com/mazen160/git-sign.git\ncd git-sign\npip install .\n```\n\nOr just run the script directly:\n```shell\npython git-sign.py\n```\n\n---\n\n# Usage\n\nSquash and sign all commits on the current branch (opens editor for commit message):\n```shell\ngit-sign\n```\n\nWith an inline commit message:\n```shell\ngit-sign -m \"Add user authentication\"\n```\n\nSkip the confirmation prompt:\n```shell\ngit-sign --yes\n```\n\nSign and force push in one step:\n```shell\ngit-sign --yes --force-push -m \"Add user authentication\"\n```\n\nPreview without making changes:\n```shell\ngit-sign --dry-run\n```\n\nUse a specific base branch:\n```shell\ngit-sign --base develop\n```\n\n---\n\n# PR Workflow\n\nSign a PR directly by number (when inside the repo):\n```shell\ngit-sign --pr 42\n```\n\nOr by full URL (works from any directory):\n```shell\ngit-sign --pr https://github.com/owner/repo/pull/42\n```\n\nSign and merge in one command:\n```shell\ngit-sign --pr https://github.com/owner/repo/pull/42 --merge -y -m \"Add user authentication\"\n```\n\nPreview without making changes:\n```shell\ngit-sign --pr 42 --dry-run\n```\n\nThe PR workflow:\n1. Resolves the PR's source branch, base branch, and repo via `gh pr view`.\n2. Shallow-clones the repo into a temp directory.\n3. Squashes and signs the commits on the PR branch.\n4. Force-pushes the signed branch back.\n5. Optionally merges the PR (with `--merge`).\n6. Cleans up the temp directory.\n\nThis requires the [GitHub CLI (`gh`)](https://cli.github.com/) installed and authenticated (`gh auth login`).\n\n---\n\n# How it works\n\ngit-sign diffs your branch against the remote base, resets to the base, applies the diff, and commits everything as a single signed commit:\n\n```shell\ngit diff --binary origin/main feature-branch \u003e /tmp/patch\ngit reset --hard origin/main\ngit apply /tmp/patch\ngit add .\ngit commit -S\n```\n\nAll your changes end up in one signed commit. You force push the branch, and the PR shows as verified.\n\nThis squashes history on purpose. AI agents tend to produce noisy commit logs (\"fix lint\", \"update test\", \"try again\"). One clean signed commit is better.\n\nWhen using `--pr`, this same process runs inside a temporary clone -- you don't need to be in the repo or on the right branch.\n\n---\n\n# Requirements\n\n- Python 3.7+\n- Git\n- [GitHub CLI (`gh`)](https://cli.github.com/) — only needed for `--pr` workflow\n- A signing key configured in git:\n  ```shell\n  # GPG\n  git config user.signingkey \u003cyour-gpg-key-id\u003e\n\n  # SSH\n  git config gpg.format ssh\n  git config user.signingkey ~/.ssh/id_ed25519.pub\n  ```\n\n---\n\n# Contribution\n\nContributions are welcome. Report issues and open pull requests on GitHub.\n\n---\n\n# License\n\nMIT License. See [LICENSE](LICENSE).\n\n---\n\n# Author\n\n**Mazin Ahmed**\n\n- **Website**: [https://mazinahmed.net](https://mazinahmed.net)\n- **Email**: `mazin [at] mazinahmed [dot] net`\n- **Twitter**: [https://twitter.com/mazen160](https://twitter.com/mazen160)\n- **Linkedin**: [http://linkedin.com/in/infosecmazinahmed](http://linkedin.com/in/infosecmazinahmed)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmazen160%2Fgit-sign","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmazen160%2Fgit-sign","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmazen160%2Fgit-sign/lists"}