GnuPG signing all the things
Steve Youngs <steve <at> sxemacs.org>
2015-06-07 06:36:24 GMT
When we first started using git the only thing you could sign were tags.
That was a bit of a let down for me because back in the day when we were
using tla, pretty much everything was signed.
That was then.
A few weeks ago I updated my git (I have v2.4.0 now) and discovered that
you can now sign, not only tags, but commits and merges as well. Whee!!
As soon as I learned of this, I jumped in and...
git config --global commit.gpgSign true 
For merges I use `git merge -S...', however I only sign merges going
into master. So if I'm hacking on something in a sub-sub-sub-branch
somewhere I won't sign the merges up to the "topic" branch, just when I
merge that into master. All of the commits along the way would have
been signed anyway.
Verifying the things:
git log --show-signature
git show --show-signature
git tag -v
If you do `git log --show-signature' on my repo you'll see that the last
few commits (including merge commits) I've done have been signed.
I'd like us all to start signing our commits. At this stage, at least,
I'm not going to make it mandatory, but I'll be strongly encouraging
(nagging?) you to do so.
If you guys are on board with signing your stuff (to be honest, I can't
think why you wouldn't be), I'd like to add your keys to the repo in the
same fashion as how I did mine. The following one-liner is all you
need to do to get your key into the repo (don't blindly kill/yank it, my
key is already in the repo :-P)...
git tag -s devkey.SY \
$(gpg --armor --export steve <at> sxemacs.org|git hash-object -w --stdin)
That will drop you in your editor (gnuclient, right!?) to add a log
,----[ Example log message ]
| This is the GnuPG key used by Steve Youngs <steve <at> sxemacs.org> to sign
| commits, merges, and tags in this repository.
| You may import this key into your GnuPG keyring with...
| `git show devkey.SY | gpg --import'
| To verify signed objects in the repo, use the `--show-signature'
| option with the git-log and git-show commands.
Then push it to your remote with...
git push --tags myremote 
Let me know you've done it, so I can then fetch the tag into my repo.
Please use the naming convention of "devkey.$INITIALS" to keep things
nice and neat.
I do not know if it is possible to posthumously sign the commits already
in the repo. I'll research it, and if it turns out to be trivial and
risk free I may do so, otherwise... nope, not gonna worry about it.
I'm going to add all of this to the SPPM.
Nelson, it might be nice for contrib/git-for-steve.sh to include this
Have fun, guys!
 If git can't find the right key, you can set `user.signingKey'
 See: `git show maintainer-pgp'
 That will push _all_ of your tags, so if you are in the habit of
adding your own private tags in your WDs it might be better to push
_just_ the devkey.$INITIALS with: `git push myremote
devkey.$INITIALS'. But I'll delete any private tags to leak through.
|---<Steve Youngs>---------------<GnuPG KeyID: A94B3003>---|
| SXEmacs - The only _______ you'll ever need. |
| Fill in the blank, yes, it's THAT good! |
|------------------------------------<steve <at> sxemacs.org>---|