We are using a Git workflow where everything is signed with GnuPG. This means, among other things, that we have commit.gpgsign = true set in our Git configurations.
When downloading a patch from Differential using arc patch, that gets inserted into the working repository as a new commit. But since we've told Git to sign all commits, the downloaded patch gets signed locally, by the developer who happens to run arc patch. This is wrong for two reasons:
- Patches are probably mainly downloaded from Differential for review, not for integration, so they shouldn't be signed at all.
- Commits should be signed by the original author of the code, which is probably not the developer running arc patch.
This is not a huge problem, since the commits created by arc patch will get thrown out once they have been reviewed and thus nobody else will se the erroneous signature. However, it is a UI problem, since developers either
- Get trained to enter their GnuPG passphrase at any random prompt, or
- Turn up the passphrase retention time in their GnuPG agents to ridiculous amounts to avoid thinking about the problem.
We have no PHP developers, but we have managed to patch Arcanist to never sign commits generated by arc patch, simply by editing the command line sent to Git (currently at src/workflow/ArcanistPatchWorkflow.php, line 724) to always include --no-gpg-sign. I expect a proper solution would be to introduce a setting in .arcrc.