cancel
Showing results for 
Search instead for 
Did you mean: 
DanielBerger
Mission Specialist
Mission Specialist
  • 2,907 Views

Signing your git commits?

Jump to solution

I'm just curious, are people out there generally signing their git commits these days?

https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

I think it was an issue with a 3rd party npm module that led me to this (I forget the details), but I've decided to start doing this.

Is there any downside to it? I couldn't find one. If not, seems like a sound thing to do.

Labels (1)
Tags (1)
1 Solution

Accepted Solutions
DanielBerger
Mission Specialist
Mission Specialist
  • 2,895 Views

Not sure I can summarize it better than this article: "When you sign a Git commit, you can prove that the code you submitted came from you and wasn't altered while you were transferring it. You also can prove that you submitted the code and not someone else."

https://www.linuxjournal.com/content/signing-git-commits

View solution in original post

5 Replies
Lisenet
Starfighter Starfighter
Starfighter
  • 2,901 Views

Unless your GPG key was signed by somebody I know, what difference would it make?

DanielBerger
Mission Specialist
Mission Specialist
  • 2,896 Views

Not sure I can summarize it better than this article: "When you sign a Git commit, you can prove that the code you submitted came from you and wasn't altered while you were transferring it. You also can prove that you submitted the code and not someone else."

https://www.linuxjournal.com/content/signing-git-commits

Razique
Flight Engineer Flight Engineer
Flight Engineer
  • 2,890 Views

Thanks for sharing this tip. I'm wondering if there are real uses cases in open source projects. Unless someone has ill intentions and would impersonate someone else, I'm not sure I see the benefits of doing that.

Unless this is a sensitive project? Or a private one?

 

Raul1
Flight Engineer Flight Engineer
Flight Engineer
  • 2,886 Views

It takes very little effort to generate a key and sign your commits and as Daniel says it provides a way to make sure the commit came from you and nobody altered it. If somebody wants to manipulate a repository they cannot easily do it undetected.

Considering the effort/benefits ratio i think it's a security measure that makes total sense to implement.

 

# Generate a GPG key.

cd

gpg2 --gen-key

gpg2 --export --armor me@mydomain.org > me@mydomain.org-pubkey.asc
mv me@mydomain.org-pubkey.asc .gnupg/

# Configure GIT to use it

git config --global user.signingkey $(gpg --fingerprint `gpg --list-secret-keys | grep ssb|awk '{print $2}'|cut -d/ -f2`|grep fingerprint | cut -d' ' -f 17-|sed 's/ //Ig')

 

 

 

DanielBerger
Mission Specialist
Mission Specialist
  • 2,872 Views

Oh? As per the article I just did "gpg --list-secret-keys --keyid-format LONG" and then used my long key id. Seemed easier. :)

0 Kudos
Join the discussion
You must log in to join this conversation.