From a89686d115e970e200eb2caa7603f3673050e00c Mon Sep 17 00:00:00 2001
From: Austin Horstman <khaneliman12@gmail.com>
Date: Mon, 4 May 2026 11:43:29 -0500
Subject: [PATCH] git: avoid implicit signing config

Fixes #6630
---
 modules/programs/git.nix                      |  2 +-
 tests/modules/programs/git/default.nix        |  1 +
 .../git/git-without-signing-legacy.conf       |  9 +++++++++
 .../git/git-without-signing-legacy.nix        | 20 +++++++++++++++++++
 4 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 tests/modules/programs/git/git-without-signing-legacy.conf
 create mode 100644 tests/modules/programs/git/git-without-signing-legacy.nix

diff --git a/modules/programs/git.nix b/modules/programs/git.nix
index d025d9975..822b39d94 100644
--- a/modules/programs/git.nix
+++ b/modules/programs/git.nix
@@ -454,7 +454,7 @@ in
       (mkIf (cfg.signing != { }) {
         programs.git = {
           signing = {
-            format = mkOptionDefault signingFormatStateVersionDefault.default;
+            format = mkOptionDefault signingFormatStateVersionDefault.effectiveDefault;
             signer =
               let
                 defaultSigners = {
diff --git a/tests/modules/programs/git/default.nix b/tests/modules/programs/git/default.nix
index c04760fde..7bc60fa51 100644
--- a/tests/modules/programs/git/default.nix
+++ b/tests/modules/programs/git/default.nix
@@ -7,6 +7,7 @@
   git-without-signing-key-id = ./git-without-signing-key-id.nix;
   git-without-signing-key-id-current = ./git-without-signing-key-id-current.nix;
   git-without-signing = ./git-without-signing.nix;
+  git-without-signing-legacy = ./git-without-signing-legacy.nix;
   git-with-hooks = ./git-with-hooks.nix;
   git-with-lfs = ./git-with-lfs.nix;
   git-with-maintenance = ./git-with-maintenance.nix;
diff --git a/tests/modules/programs/git/git-without-signing-legacy.conf b/tests/modules/programs/git/git-without-signing-legacy.conf
new file mode 100644
index 000000000..a9a95c366
--- /dev/null
+++ b/tests/modules/programs/git/git-without-signing-legacy.conf
@@ -0,0 +1,9 @@
+[gpg]
+	format = "openpgp"
+
+[gpg "openpgp"]
+	program = "@gnupg@/bin/gpg"
+
+[user]
+	email = "user@example.org"
+	name = "John Doe"
diff --git a/tests/modules/programs/git/git-without-signing-legacy.nix b/tests/modules/programs/git/git-without-signing-legacy.nix
new file mode 100644
index 000000000..b6c3bf331
--- /dev/null
+++ b/tests/modules/programs/git/git-without-signing-legacy.nix
@@ -0,0 +1,20 @@
+{
+  programs.git = {
+    enable = true;
+    settings = {
+      user = {
+        name = "John Doe";
+        email = "user@example.org";
+      };
+    };
+  };
+
+  home.stateVersion = "24.05";
+
+  test.asserts.evalWarnings.expected = [ ];
+
+  nmt.script = ''
+    assertFileExists home-files/.config/git/config
+    assertFileContent home-files/.config/git/config ${./git-without-signing-legacy.conf}
+  '';
+}