Highlighted
Mission Specialist
Mission Specialist
  • 692 Views

Signing your git commits?

I'm just curious, are people out there generally signing their git commits these days?

https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

I think it was an issue with a 3rd party npm module that led me to this (I forget the details), but I've decided to start doing this.

Is there any downside to it? I couldn't find one. If not, seems like a sound thing to do.

Labels (1)
Tags (1)
5 Replies
Highlighted
Starfighter Starfighter
Starfighter
  • 686 Views

Re: Signing your git commits?

Unless your GPG key was signed by somebody I know, what difference would it make?

Reply
Loading...
Highlighted
Mission Specialist
Mission Specialist
  • 680 Views

Re: Signing your git commits?

Not sure I can summarize it better than this article: "When you sign a Git commit, you can prove that the code you submitted came from you and wasn't altered while you were transferring it. You also can prove that you submitted the code and not someone else."

https://www.linuxjournal.com/content/signing-git-commits

0 Kudos
Reply
Loading...
Highlighted
Flight Engineer Flight Engineer
Flight Engineer
  • 675 Views

Re: Signing your git commits?

Thanks for sharing this tip. I'm wondering if there are real uses cases in open source projects. Unless someone has ill intentions and would impersonate someone else, I'm not sure I see the benefits of doing that.

Unless this is a sensitive project? Or a private one?

 

0 Kudos
Reply
Loading...
Highlighted
Flight Engineer Flight Engineer
Flight Engineer
  • 671 Views

Re: Signing your git commits?

It takes very little effort to generate a key and sign your commits and as Daniel says it provides a way to make sure the commit came from you and nobody altered it. If somebody wants to manipulate a repository they cannot easily do it undetected.

Considering the effort/benefits ratio i think it's a security measure that makes total sense to implement.

 

# Generate a GPG key.

cd

gpg2 --gen-key

gpg2 --export --armor me@mydomain.org > me@mydomain.org-pubkey.asc
mv me@mydomain.org-pubkey.asc .gnupg/

# Configure GIT to use it

git config --global user.signingkey $(gpg --fingerprint `gpg --list-secret-keys | grep ssb|awk '{print $2}'|cut -d/ -f2`|grep fingerprint | cut -d' ' -f 17-|sed 's/ //Ig')

 

 

 

Reply
Loading...
Highlighted
Mission Specialist
Mission Specialist
  • 657 Views

Re: Signing your git commits?

Oh? As per the article I just did "gpg --list-secret-keys --keyid-format LONG" and then used my long key id. Seemed easier. Smiley Happy

0 Kudos
Reply
Loading...
Join the discussion
You must log in to join this conversation.