cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
DanielBerger
Mission Specialist
Mission Specialist
‎08-01-2019 05:48 PM
  • 3,550 Views

Signing your git commits?

Jump to solution

I'm just curious, are people out there generally signing their git commits these days?

https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

I think it was an issue with a 3rd party npm module that led me to this (I forget the details), but I've decided to start doing this.

Is there any downside to it? I couldn't find one. If not, seems like a sound thing to do.

Labels (1)
Labels
Tags (1)
Join the discussion
1 Solution

Accepted Solutions
DanielBerger
Mission Specialist
Mission Specialist
‎08-01-2019 08:00 PM
  • 3,538 Views

Jump to solution

Not sure I can summarize it better than this article: "When you sign a Git commit, you can prove that the code you submitted came from you and wasn't altered while you were transferring it. You also can prove that you submitted the code and not someone else."

https://www.linuxjournal.com/content/signing-git-commits

View solution in original post

5 Replies
Lisenet
Starfighter Starfighter
Starfighter
‎08-01-2019 07:33 PM
  • 3,544 Views

Jump to solution

Unless your GPG key was signed by somebody I know, what difference would it make?

DanielBerger
Mission Specialist
Mission Specialist
‎08-01-2019 08:00 PM
  • 3,539 Views

Jump to solution

Not sure I can summarize it better than this article: "When you sign a Git commit, you can prove that the code you submitted came from you and wasn't altered while you were transferring it. You also can prove that you submitted the code and not someone else."

https://www.linuxjournal.com/content/signing-git-commits

Razique
Flight Engineer Flight Engineer
Flight Engineer
‎08-01-2019 11:24 PM
  • 3,533 Views

Jump to solution

Thanks for sharing this tip. I'm wondering if there are real uses cases in open source projects. Unless someone has ill intentions and would impersonate someone else, I'm not sure I see the benefits of doing that.

Unless this is a sensitive project? Or a private one?

 

Raul1
Flight Engineer Flight Engineer
Flight Engineer
‎08-02-2019 04:08 AM
  • 3,529 Views

Jump to solution

It takes very little effort to generate a key and sign your commits and as Daniel says it provides a way to make sure the commit came from you and nobody altered it. If somebody wants to manipulate a repository they cannot easily do it undetected.

Considering the effort/benefits ratio i think it's a security measure that makes total sense to implement.

 

# Generate a GPG key.

cd

gpg2 --gen-key

gpg2 --export --armor me@mydomain.org > me@mydomain.org-pubkey.asc
mv me@mydomain.org-pubkey.asc .gnupg/

# Configure GIT to use it

git config --global user.signingkey $(gpg --fingerprint `gpg --list-secret-keys | grep ssb|awk '{print $2}'|cut -d/ -f2`|grep fingerprint | cut -d' ' -f 17-|sed 's/ //Ig')

 

 

 

DanielBerger
Mission Specialist
Mission Specialist
‎08-02-2019 03:04 PM
  • 3,515 Views

Jump to solution

Oh? As per the article I just did "gpg --list-secret-keys --keyid-format LONG" and then used my long key id. Seemed easier. :)

0 Kudos
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2024 Red Hat, Inc. Privacy policy Terms of use