Signing Commits in Github — Harder than necessary
Recently, I realized that, as a regular user of GPG (it’s a hard requirement for my password manager of choice, pass, and also serves to present my SSH key to servers), I have the ability to further protect the integrity of my identity online though using Git’s commit signing. Setting this up on the client was trivial — a few simple changes to my .gitconfig
and I was immediately able to set up auto-signing of new Git commits. However, setting up signing in Github was much more obtuse.
Github lacks any centralized area to indicate a desire to sign commits, or a common through line that indicates how one sets up the functionality in light of the missing centralized area. I fished around in Github’s settings and finally figured out (after about 20 minutes). There’s essentially two parts: You first need to ensure that your signature uses an email that is linked to your account and then you need upload your public key to the “Keys” section in settings. All in all not hard, but neither would be a simple area (or a small button) that asks you to “click here” if you want to set up GPG commit signing.
This reinforces the ideas presented throughout the semester that security is often an add-on idea rather than baked into the system. Supporting the display of signed commits is rather new in Github (I guess? It rolled out in 2016, but given the amount of users that this feature probably has, I imagine it’s not terribly high on the “To Fix” list inside Github itself), but the experience isn’t perfect. We can do better.
Further, the whole ordeal just served to remind me that developers are users. I’m significantly more technical than most people, but hunting through menus isn’t appreciably easier for me than for my Grandmother (except that I don’t have arthritis so bad that I can hardly click the mouse). For a technical tool like Github, I would think that these sorts of more niche problems would be solved — but maybe GPG users signing their commits is too small a user base to warrant better UX. However, I do wonder if better UX could get more people signing their commits.