Retrospectively signing commits on main/master branches: Here's how it's possible!

While working on an open-source project recently, I ran into the problem that after setting up a new Mac, my first commits were neither verified nor signed. That left me with the challenge of signing them retroactively so I could merge the pull request into the main repo at all, despite the strictly "enforced merge security through commit validation." Most guides online cover re-signing commits on branches other than the main branch—but since in this case I had worked directly on the main branch, I first had to figure out the easiest way to handle it: it works with a force-push after a rebase. On the main/master branch, this can be done by manually selecting the affected commits.

Here is the workflow. It is important that commit signing has already been enabled and tested (how to do that is explained in this gist for macOS):

1. First, select the correct folder in the terminal where the Git repo is located.
2. Usegit log -n 10 --onelineto display the last commits in the repo.
3. Then rebase the last commits withgit rebase -i HEAD~N: N is replaced with the number of commits that need to be re-signed (for example, 5). An editor will open where each commit must be marked with "edit" instead of "pick." After saving and closing the file, interactive rebase mode will start.
4. Then rungit commit --amend '-S' --author "USERNAME <MAIL_ADDRESS_OF_THE_SIGNATURE>"to perform the re-signing: an editor with the commit message will open each time. I wouldn't change anything there.
5. After each edited commit, usegit rebase --continueto jump to the next commit.
6. Once all commits have been signed, you can usegit log --show-signatureto check whether the signatures were correctly attached to the commits.
7. Finally, usegit push --force origin mainto force-push the new commit history to the main branch.

That should make the pull request mergeable.

Have fun contributing!