ChrysaLisp
ChrysaLisp copied to clipboard
PGP signed commits & code?
We can haz pls? :(
Forgive my ignorance, but please explain ?
I know what PGP is, so is this some setting I need to enable on the release build stuff ?
Regards
Chris
This is the first I hear of PGP signed commits.
The Pro Git Book, which I'd kind-of consider the official git documentation, covers this in the following chapters:
5.3 Distributed Git - Maintaining a Project
Specifically, check the subsection "Tagging Your Releases":
https://git-scm.com/book/en/v2/Distributed-Git-Maintaining-a-Project
7.4 Git Tools - Signing Your Work:
Do note the disclaimer at the end though, "Everyone Must Sign":
https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
10.3 Git Internals - Git References:
Specifically, check the subsection "Tags":
https://git-scm.com/book/en/v2/Git-Internals-Git-References
Note however, some gotchas:
-
Presumably, you might wish to use some subkey(s) of your existing public PGP key(if any), for details on how to do so, see here: https://stackoverflow.com/a/50986820. Note however that the example given there uses a short key ID, a TERRIBLE idea, see here for why: https://security.stackexchange.com/q/84280
-
Revocation entails... issues, albeit not unsolvable ones, as showcased here: https://karl.kornel.us/2017/10/welp-there-go-my-git-signatures/
GitHub also has a section on it but... I'D STRONGLY recommend reading that only after you've understood how it OUGHT TO work, based on the above; as the GitHub documentation on this leaves quite a few key pieces out:
https://help.github.com/articles/managing-commit-signature-verification/
https://help.github.com/articles/troubleshooting-commit-signature-verification/
It's took a great while!
But no. I'll not be doing this ever.
It's took a great while!
But no. I'll not be doing this ever.
🤷🏼 understandable, have a great day