Fork me on GitHub

n. Slang a rough lawless young Kuali developer.
[perhaps variant of Houlihan, Irish surname]
kualiganism n

Blog of an rSmart Java Developer. Full of code examples, solutions, best practices, et al.

Saturday, December 7, 2013

Signing Git Commits

Motivation

After Kuali Days, one of my takeaways was that the switch from SVN to Git is pretty imminent. I am just posting a quick example of how to digitally sign commits which is a great feature in Git.

Why Sign Commits?

Actually, you can sign commits, tags, and branches in Git. Just as an example though, let's look at commits.

For those of you that are familiar with the creator of Git, Linus Torvalds, here is a quote from the rather lengthy correspondence on GitHub:

(b) since github identities are random, I expect the pull request to
be a signed tag, so that I can verify the identity of the person in
question.

Steps


1 First setup a PGP Key

I use gpg on the Mac. There are plenty of other blog posts, etc... on how to setup GPG on your Mac/PC. I'm going to assume that you have already done this.

2 Create a KeyPair

Once you have GPG setup, you'll want a keypair. Again, there are lots of blogs out there on how to do this.

3 Add Key to Git Configuration

Assuming you already have GPG setup and your keypair is created, you should be able to do the following:

r351574nc3@behemoth~
(19:42:09) [24] gpg --list-keys
/Users/r351574nc3/.gnupg/pubring.gpg
------------------------------------
pub   4096R/7B2D3C57 2012-03-04 [expired: 2013-03-04]
uid                  Leo Przybylski 

pub   4096R/2349D2B7 2012-07-07
uid                  Leo Przybylski (For Examples) 
sub   4096R/ED1F82E4 2012-07-07

pub   4096R/2DDF1261 2013-06-04 [expires: 2014-06-04]
uid                  Leo Przybylski (Personal Key) 
sub   4096R/71EA9FC8 2013-06-04 [expires: 2014-06-04]

Each key has a particular ID. I have marked the one for this example in bold (2DDF1261).

To add your key to Git, you would execute the following:
git config --global user.signingkey 2DDF1261

4 Commit some code

Now that we have it setup, let's commit something.

r351574nc3@behemoth~/projects/git/redis-maven-plugin
(20:03:36) [192] git commit -S -am "Fixing forking issue by adding a boolean to check if forking is allowed and only sync the netty channel when forking is NOT required."

You need a passphrase to unlock the secret key for
user: "Leo Przybylski (Personal Key) "
4096-bit RSA key, ID 2DDF1261, created 2013-06-04


5 Check the Commit Log

Now we need to check the commit log with git log --show-signature

commit 6d97de7e977fc3ff6b2fb95d1645f16db764ebfc
gpg: Signature made Sat Dec  7 10:56:35 2013 MST using RSA key ID 2DDF1261
gpg: Good signature from "Leo Przybylski (Personal Key) "
Author: Przybylski 중광 
Date:   Sat Dec 7 10:56:35 2013 -0700

    Fixing forking issue by adding a boolean to check if forking is allowed and only sync the netty channel when forking is NOT required

Conclusion

There you have it. Now you can sign your commits and/or tags in Git!

No comments:

Post a Comment