Git users? It’s time to sign your commits!
The little story…
Recently (yesterday), GitHub has announced a feature that help users to display if a commit is trusted. They added the GPG signature verification.
I told myself that it was time to sign my commits!
But the real question is:
Why must I sign my commit?
The reason is just to trust the identity of an author, no less, no more… Because a signature (same in paper case) was always used to certify a property. Q.E.D!
Because with Git (like e-mail…), it’s possible to usurp an identity. See below ; the second commit is not from me (really!)… but unverified!
The context
I’m on Mac OS X El Capitan (10.11.4), I use ZSH (5.0.8) and Homebrew (0.9.5).
Let’s go to download and install this following tools:
- Git SCM – Free and open source distributed version control.
- GPGTools – Tools to help you to secure communication and encrypting files (Thanks to N!c0).
Let’s go!
The first step is to create a GPG key with GPG Keychain.
The second step is to use this key with Git and automatically sign every commits. For this step, it’s so easy, you should edit “~/.gitconfig” like this:
Note: The “signingkey” value is the value of “Key ID” in GPG Keychain.
The final step consist to add the public GPG key to GitHub.
First of all, you must export the key from GPG Key Chain.
And add this previous key to GitHub.
Commit, push and it’s done!
Conclusion
As you can see, It’s very easy to generate a GPG key, use it with Git and add it to GitHub!
A little bit of fun… #BONUS
Keybase provide a service to help the others guys to verify your identity. He maps your identity to your public keys, and vice versa. (Thanks to Simon/FG for invitation!)
Now I have some invitations if you want.^^