Update for Git 2.23 (Q3 2019), you now have git config tag.gpgSign true!
Original answer (June 2018)
While there is no “signed by default” mode for git tag, the documentation mentions:
Once you have a private key to sign with, you can configure Git to use it for signing things by setting the user.signingkey config setting.
git config --global user.signingkey 0A46826A
By default,
git tagin sign-with-default mode (-s) will use your committer identity (of the formYour Name <[email protected]>) to find a key.
If you want to use a different default key, you can specify it in the repository configuration as follows:
[user]
signingKey = <gpg-keyid>
Note: if you create your tag with the -m option (tag -m "a comment" myTag), that make them annotated.
From git tag man page:
If
-m <msg>or-F <file>is given and-a,-s, and-u <keyid>are absent,-ais implied.
So you could:
- not define an alias for git tag (not
add -s) - set from terminal
git config tag.forceSignAnnotated true
That way, any git tag -m "a comment" myTag will trigger the gpgpSign.
Only for annotated tag, but since those are ones which are supposed to be not just local to your repo but also pushed, that should be enough.