Why Sign Your Commits?
Before learning how to sign commits, we will learn why signing your commits is important.
Commit signing offers ...
For further actions, you may consider blocking this person and/or reporting abuse
Signing commit with ssh key is more easy to setup and should be considered as the default method.
dev.to/igmrrf/adding-ssh-keys-to-y...Git: The complete guide to sign your commits with an ssh key
Christophe Colombier ・ Apr 7
GPG world comes with a lot of issues and background
And where in this article are the commits signed?
@syeo66 @imransaifi
I took the time this weekend to write an article about ssh signing in git
Git: The complete guide to sign your commits with an ssh key
Christophe Colombier ・ Apr 7
Thanks. One thing is missing: How would you verify the signature? With gpg there is at least the possibility to retrieve the public key from a key server. There is no such thing for ssh. How would you manage the public keys of your peers to verify the signed commits?
I will detail with my next post. Here you rely on GitHub/GitLab.
I made some research and GPG signing seems to remain the reference in term of security because:
@imransaifi but in my article I already wrote the part about allowed_signers file inside the repository
Lol. Indeed. I quoted a wrong one. I'll write one on dev.to if I don't find one.
I just updated the article. Thanks for commenting and letting me know.
I just updated the article with the screenshot of a signed commit. I missed that.
Thanks for letting me know.
Thanks. I will definitely try with ssh key. I was using GPG key and thought that GPG keys are more secure. But now I will definitely try other methods too.
You can sign your commits with your email address, the user signing key and the
-S
flag. And if you are working in a private company project, for example, you would be using a company email address, so it seems overkill to do this whole approach with GPG. It is rubbing me off a tad with sharing your GPG key with others as well, seems a bit insecure to me 🤔Well, sharing your public key with others is the whole point of gpg. This way people can verify your signed commit is actually yours...
Thanks for sharing! I will defintely try other things as well. I just thought GPG is little more secure than other options. But after your suggestion, I will definitely other options as well.
How can the others team members see if commits are signed ??
I updated the article with the screenshot of a signed commit.
Thankyou so much for commenting Jesus.
Thanks for sharing, Imran!
You're welcome Madhu.
Good guide
Thankyou Bart