Article: http://mikegerwitz.com/papers/git-horror-story
-
faking other user's commits is easy with --author flag
$ git commit --author='Foo Bar <[email protected]>' -m 'some commit' -
signing commits ensures:
- someone else can't commit as myself
- I really commited all the commits I sign
list gpg keys
$ gpg --list-secret-keys
sec 4096R/8EE30EAB 2011-06-16 [expires: 2014-04-18] ^^^^^^^^
- sec line, highlighted letters should be taken
specify gpg key with git
$ git config --global user.signingkey 8EE30EAB
commit and sign a commit
$ git commit -S -m 'msg'
-
it's just the
-Sflag -
it will prompt for gpg key password
-
showing commit signatures
$ git log --show-signature -
with this - git authomatically check whether the signature is good!
log --pretty=format flag: %G?
signed tag
$ git tag -s v1.0.0 -m 'msg'
- to verify the tag
$ git tag -v v1.0.0
reviewing and signing each commit
- commit author is not changed!
- commit SHAs will change!
-
rebase
$ git rebase -i HEAD~x -
set all commits to
eoredit -
reviewing a commit
$ git diff HEAD^
-
signing a commit (again, does not change commit author)
$ git commit -S --amend -C HEAD -
continue till the end
$ git rebase --continue
signing a merge
- to assert I'm the one that performed a merge
- does not assert integrity of each commit
$ git merge -S --no-ff