Signing commits with gpg
Hi All,
Gitlab now supports verification of commit signatures and it would be awesome if we start signing commits. It is a relatively painless process and happens automatically with little configuration.
Spoofing authors in git is quite easy, actually provided as a command line option (--author, --reset-author), and I believe it would be a good practice to sign all the commits (even outside of Mailman).
Here are steps for how you can do that:
Add your public key to Gitlab (https://gitlab.com/profile/gpg_keys)
Commit with
-S
(capital S)
Here is the relevant section of .gitconfig
to auto-sign every commit
you make (no need for step 2 if you do this):
[user]
name = Abhilash Raj
email = raj.abhilash1@gmail.com
signingkey = 541EA0448453394FF77A0ECC9D9B2BA061D0A67C
[commit]
gpgsign = true
Once you have pushed a signed commit to Gitlab and have uploaded your gpg public key, you will see a green "Verified" button alongside every commit. (See https://gitlab.com/maxking/mailman/commits/msapiro/mailman-pending)
-- Abhilash Raj maxking@asynchronous.in
participants (1)
-
Abhilash Raj