fix: bug with upstream signatures not working - automate education here for users #3
Description
❯ We're getting this:
Auths Commit Verification
| Commit | Status | Details |
|---|---|---|
a5838d33 |
✅ Verified | Signed by z6MktnihicwetvA16FtHFynaJTn9eDZw51eizUEA1yGJCR4o@auths.local |
81bce680 |
❌ Failed | No signature found |
849e19f0 |
✅ Verified | Signed by z6MktnihicwetvA16FtHFynaJTn9eDZw51eizUEA1yGJCR4o@auths.local |
5a9f7178 |
✅ Verified | Signed by z6MktnihicwetvA16FtHFynaJTn9eDZw51eizUEA1yGJCR4o@auths.local |
c2990820 |
✅ Verified | Signed by z6MktnihicwetvA16FtHFynaJTn9eDZw51eizUEA1yGJCR4o@auths.local |
40c9435c |
✅ Verified | Signed by z6MktnihicwetvA16FtHFynaJTn9eDZw51eizUEA1yGJCR4o@auths.local |
Result: ❌ 5/6 commits verified
How to fix
Commit 81bce680 is not signed. Install auths and re-sign:
macOS: brew install auths
Linux: Download from releases
Then re-sign:
git commit --amend --no-edit -S
git push --force-with-lease
from verify commits in:
/Users/bordumb/workspace/repositories/auths-base/auths/.github/workflows/ci.yml
I ran the command it suggests 3 times and it keeps failing
⏺ The issue is that 81bce68 was created without signing (maybe by a tool, a rebase, or an amend that dropped the signature). Running git commit --amend keeps
re-signing the current HEAD (a5838d3), not 81bce68 which is 5 commits back.
Let me check.
⏺ Bash(git log --oneline -6 && echo "---" && git log --format="%h %G? %s" -6)
⎿ a5838d3 feat: add support for tlogs
81bce68 feat: add namespace governance, identity-as-API-key, and hardening (fn-74, fn-75, fn-76)
849e19f feat: add auths log inspect and auths log verify CLI commands (fn-73.5)
… +10 lines (ctrl+o to expand)
⏺ 81bce68 has N (no signature). It's 5 commits back. You can't fix it with --amend — that only touches HEAD.
To sign it, you'd need an interactive rebase (git rebase -i) to edit that commit, which rewrites all 5 commits after it (new hashes for everything). Since
these aren't pushed yet, that's fine.
But per CLAUDE.md, I shouldn't run interactive git commands. Here's what you do:
git rebase --exec 'git commit --amend --no-edit -S' 40c9435
This re-signs every commit from 40c9435 to HEAD. Non-interactive, signs all 6 commits. All hashes will change.