Work around a bug in GnuPG by passing it --default-key instead of --local-user when signing a Git commit

config/git/config

@@ -22,7 +22,7 @@
 	arguments = --preserve-merges
 
 [gpg]
-	program = gpg2-no-tty
+	program = gpg2-for-git-signing
 
 [rerere]
 	enabled = true

local/bin/gpg2-for-git-signing

@@ -0,0 +1,13 @@
+#!/bin/zsh
+# There's a weird inconsistency between the --default-key and --local-user
+# arguments: when you have multiple signing subkeys, --local-user chooses the
+# newest, and --default-key chooses the one that's available. The latter is
+# clearly preferable. So we shuffle the arguments around a little.
+for arg; do
+	if [[ $arg = -bsau ]]; then
+		args+=(-bsa --default-key)
+	else
+		args+=($arg)
+	fi
+done
+exec gpg2 --no-tty "${(@)args}"

local/bin/gpg2-no-tty

@@ -1,2 +0,0 @@
-#!/bin/sh
-exec gpg2 --no-tty "$@"