PGP signed commits & code?

[no-identd]

We can haz pls? :(

[vygr]

Forgive my ignorance, but please explain ?

I know what PGP is, so is this some setting I need to enable on the release build stuff ?

Regards

Chris

[neauoire]

This is the first I hear of PGP signed commits.

[no-identd]

The Pro Git Book, which I'd kind-of consider the official git documentation, covers this in the following chapters:

5.3 Distributed Git - Maintaining a Project

Specifically, check the subsection "Tagging Your Releases":

https://git-scm.com/book/en/v2/Distributed-Git-Maintaining-a-Project

7.4 Git Tools - Signing Your Work:

Do note the disclaimer at the end though, "Everyone Must Sign":

https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

10.3 Git Internals - Git References:

Specifically, check the subsection "Tags":

https://git-scm.com/book/en/v2/Git-Internals-Git-References

Note however, some gotchas:

1. Presumably, you might wish to use some subkey(s) of your existing public PGP key(if any), for details on how to do so, see here: https://stackoverflow.com/a/50986820. Note however that the example given there uses a short key ID, a TERRIBLE idea, see here for why: https://security.stackexchange.com/q/84280

2. Revocation entails... issues, albeit not unsolvable ones, as showcased here: https://karl.kornel.us/2017/10/welp-there-go-my-git-signatures/

GitHub also has a section on it but... I'D STRONGLY recommend reading that only after you've understood how it OUGHT TO work, based on the above; as the GitHub documentation on this leaves quite a few key pieces out:

https://help.github.com/articles/managing-commit-signature-verification/

https://help.github.com/articles/troubleshooting-commit-signature-verification/

[vygr]

It's took a great while!

But no. I'll not be doing this ever.

[no-identd]

It's took a great while!

But no. I'll not be doing this ever.

🤷🏼 understandable, have a great day