DanielBerger
Mission Specialist
Mission Specialist
  • 1,753 Views

Signing your git commits?

I'm just curious, are people out there generally signing their git commits these days?

https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

I think it was an issue with a 3rd party npm module that led me to this (I forget the details), but I've decided to start doing this.

Is there any downside to it? I couldn't find one. If not, seems like a sound thing to do.

Labels (1)
Tags (1)
5 Replies
Lisenet
Starfighter Starfighter
Starfighter
  • 1,747 Views

Unless your GPG key was signed by somebody I know, what difference would it make?

DanielBerger
Mission Specialist
Mission Specialist
  • 1,741 Views

Not sure I can summarize it better than this article: "When you sign a Git commit, you can prove that the code you submitted came from you and wasn't altered while you were transferring it. You also can prove that you submitted the code and not someone else."

https://www.linuxjournal.com/content/signing-git-commits

0 Kudos
Razique
Flight Engineer Flight Engineer
Flight Engineer
  • 1,736 Views

Thanks for sharing this tip. I'm wondering if there are real uses cases in open source projects. Unless someone has ill intentions and would impersonate someone else, I'm not sure I see the benefits of doing that.

Unless this is a sensitive project? Or a private one?

 

0 Kudos
Raul1
Flight Engineer Flight Engineer
Flight Engineer
  • 1,732 Views

It takes very little effort to generate a key and sign your commits and as Daniel says it provides a way to make sure the commit came from you and nobody altered it. If somebody wants to manipulate a repository they cannot easily do it undetected.

Considering the effort/benefits ratio i think it's a security measure that makes total sense to implement.

 

# Generate a GPG key.

cd

gpg2 --gen-key

gpg2 --export --armor me@mydomain.org > me@mydomain.org-pubkey.asc
mv me@mydomain.org-pubkey.asc .gnupg/

# Configure GIT to use it

git config --global user.signingkey $(gpg --fingerprint `gpg --list-secret-keys | grep ssb|awk '{print $2}'|cut -d/ -f2`|grep fingerprint | cut -d' ' -f 17-|sed 's/ //Ig')

 

 

 

DanielBerger
Mission Specialist
Mission Specialist
  • 1,718 Views

Oh? As per the article I just did "gpg --list-secret-keys --keyid-format LONG" and then used my long key id. Seemed easier. :)

0 Kudos
Join the discussion
You must log in to join this conversation.