As requested in the discussion on "Trustable guix pull" [0], I've
recently started signing the commits I push to Savannah.

At first, I set "gpgsign = true" in my Guix repo's Git config. This
requires you to sign every commit you make. It's effective, but I found
it annoying to provide my signing key while doing exploratory hacking,
rebasing a branch on master, etc.

Instead, I want to sign after my final "self-review" and before pushing
to Savannah or sending patches to the list for final review.

So, I've attached a pre-push Git hook that should prevent unsigned
commits from being pushed to any remote [1]. I've also attached a shell
function that will sign commits besides HEAD (useful for signing a range
of commits). I didn't find a more Git-idiomatic way to sign an existing
commit besides HEAD.

Please let me know if you see any problems with this approach, or if you
can suggest some improvements.

[0]
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#16

[1] One could make it remote-specific if desired.