rafaelrinaldi/README.md

Last active December 15, 2015 16:57

Star (2) You must be signed in to star a gist
Fork (1) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/rafaelrinaldi/556a1bcb5ab80890bb9e.js"></script>
Save rafaelrinaldi/556a1bcb5ab80890bb9e to your computer and use it in GitHub Desktop.

Download ZIP

Signing Git commits

Raw

Signing Git commits

Why

Because after reading this blog post (sent by my dear friend @hugobessaa) I got paranoid. It's a little effort that can avoid a lot of trouble.

The problem

User changes the commit author using the --author option
The commit then introduces a new bug (blaming the new author)
Crackers explore this breach 💀
An audit will not be able to identify who was the commit author

The solution

Since Git 1.7.2, one can sign commits (and tags) using their own GPG key.

How

Install gpg. You can install it from Homebrew:

$ brew install gpg

Generate a fresh key:

$ gpg --gen-key # Default options are fine

Now list all secret keys and copy the content from the sec row after the first /. Something like this:

$ gpg --list-secret-keys
/Users/your-user/.gnupg/secring.gpg
---------------------------------------
sec   XXXXX/YYYYYYYY 2015-01-01
uid                  Your Name (Your Comment) <[email protected]>
ssb   XXXXX/ZZZZZZZZ 2015-01-01

# What you want is that YYYYYYYY

Register your key to your Git configuration file:

$ git config --global user.signingkey your-key

You can now sign commits by using git commit -S. You might want to add it as an alias to your .gitconfig:

[alias]
  commit = commit -S

Profit 💰

Further Reading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment