Git rebase forces the user to touch his yubikey for every single commit

[antoine-gaillard]

When doing a git rebase you have to touch your key for every single commit being replayed this can take quite some time if you rebase a bunch of them

[trishankatdatadog]

I'm not sure what we can do about this, because it's really a Yubikey design issue, which apparently suggests that Yubico itself does not use GPG on its own keys to sign its git commits.

I'm afraid that if you rebase a lot, you probably have to turn off the touch 2FA on your Yubikey.

@SantiagoTorres Are you aware of any workaround?

It might be best to reach out to someone at Yubico about this.

[SantiagoTorres]

Unfortunately, I think there's no workaround this issue. I think you could, for the sake of usability, just sign the tip of the rebased commits:

git rebase $FLAGS --no-gpg-sign && git commit --amend

We could probably think of a way to make this smarter using libgit2 but I wonder if it's worth the hassle...

[trishankatdatadog]

@SantiagoTorres I like your workaround, I think it's the simplest thing we can do 👍

[trishankatdatadog]

@SantiagoTorres However, a downside to this approach is that rebased commits are left unsigned, right? This might cause issues when you are pushing to a protected GitHub branch that requires signed commits, no? Then we might need merge strategies there to solve the problem...

[SantiagoTorres]

Yeah, unfortunately n-1 of the commits won't be signed. We can see if there's a ccid message we can use to have it sign multiple payloads after the fact, but this seems too painful firsthand :(