Why should we sign Git commits?Ī few days ago, I was at NDC Security and saw a talk by Phil Haack where he spoofed a “malicious” commit to look like it was made by Troy Hunt (who was also speaking). I went from not having a GPG key installed locally through to seeing my commits marked as Verified on GitHub. This tutorial walks you though the process I took to set up Git commit signing with my Keybase GPG key. Then, once you’ve your commits are signed, GitHub provides a nice interface for verifying commits have been signed and by whom. If you’re a Keybase user, it’s pretty easy to use your Keybase GPG key for signing your Git commits. It uses the author’s GPG key to leave a signature in the commit that can be checked later. It is an optional feature that provides a way for the author of a commit to prove ownership. A relatively unknown and underused feature of Git is the ability to cryptographically sign commits.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |