Not possible to submit signed Git commits

[gnugnug]

My password store is synced with a Git repository that only accepts signed commits. Hence my Git config includes:

$ git.exe config --list
commit.gpgsign=true
gpg.program=C:/Program Files (x86)/gnupg/bin/gpg.exe
user.signingkey=...

Committing changes via git.exe works without problems. When I issue a git commit, the GnuPG Pinentry dialog automatically pops up and asks for the passphrase of my GPG key.

Now for the problem with pass-winmenu, which otherwise works nicely: In the config I set
sync-mode: native-git
git-path: 'C:\Program Files\Git\bin\git.exe'
When I add a new password, pass-winmenu does create a new commit, but it is not signed, which causes Push to remote to fail with error code 1. I don't see a Pinentry dialog either. The Pinentry dialog however IS shown when decrypting a password.

[geluk]

Hi, thanks for your report! You're right, we currently don't have any support for signing commits. LibGit2sharp does support it, but only at a pretty low level. I'm going to look into this to see if it is possible to add support for this.

[gnugnug]

Hello geluk,
thank you very much for the quick response! I didn't try LibGit2sharp, because it always fails with "401 Unauthorized" and I don't know how to submit the credentials (I use HTTPS for Git commits with username and password). But if it works now with native-git then all the better!

[geluk]

Implemented as of v1.11.

[gnugnug]

Hello @geluk
I tested v1.11 and it does create signed commits. However when enabling commit.gpgsign, it always creates a detached HEAD. So before adding/editing a password with pass-winmenu HEAD points to:

$ git symbolic-ref HEAD
refs/heads/master

After making a change in pass-winmenu HEAD gets detached and points to the new commit:

$ git symbolic-ref HEAD
fatal: ref HEAD is not a symbolic ref

Then I can't automtically push to remote anymore, I first have to create a new branch with the new commit and merge this to master.
Apparently this is done by

pass-winmenu/pass-winmenu/src/ExternalPrograms/Git/Git.cs

Line 137 in 2414909

repo.Refs.UpdateTarget(repo.Refs.Head, signedCommit);

Is this intentionally? Can you elaborate the workflow behind this? I would have expected that the signed commit gets committed the same way as an unsigned commit.

[geluk]

It is intentional in the sense that creating the commit needs to be done manually, as LibGit2Sharp does not have support for creating signed commits in the same way as regular commits. However, forgetting to resolve the HEAD symbolic ref before updating it was an oversight on my part.

I've created a new commit that fixes this this issue for me, could you check if it has been fixed for you as well? You can download a build of pass-winmenu.exe from CI here: https://ci.appveyor.com/api/buildjobs/lnkuqa1wev6i9k76/artifacts/pass-winmenu%2Fbin%2FRelease%2Fpass-winmenu.exe

[gnugnug]

Wonderful, this fixes the issue! Signed commits work now for me.