Sign commits with GPG #78
Comments
|
PS: The same thing would apply to releases, see https://wiki.debian.org/Creating%20signed%20GitHub%20releases as a reference. |
|
I was thinking about this when I ran across this guide https://github.com/pstadler/keybase-gpg-github yesterday on HackerNews. I like the idea of doing this, but I'd like to not do it for all git repositories I contribute to. I'll definitely look into it though. One thing I noticed about my Keybase generated GPG is that it does not line up with the email I use for git. (I noticed this when putting in my key via GitHub settings)
For those who wish to add their key only to a local project |
|
@frankcash About the email adress thing: just add the address associated with the key to github in the profile as additional email address and confirm it, that should suffice. Had the same issue a couple of days ago. |
|
Looks like mine is set! |
|
That was fast response! Looks good to me (: Commits from you are now signed, perfect! The only additional great thing would be to also sign the releases, so not only the commits are trusted, but also the authenticity of the releases hosted on Github can be verified. Should be pretty easy, see https://wiki.debian.org/Creating%20signed%20GitHub%20releases. Thanks again for the effort! Edit: If you want to use keybase, the gpg command in the instruction above would translate into |
|
I would definitely like to sign releases as well! Great idea. Thanks for bringing all these up! (#69). |
Hi,
since this is a very security and privacy focused project, it would be great, if it would be possible to verify that the commits are from the real developers behind this project and are not being commited by an adversary.
An easy way to achieve this would be to utilize the GPG signing feature of git in conjunction with the Github GPG feature (https://github.com/blog/2144-gpg-signature-verification).
Best,
Matthias
The text was updated successfully, but these errors were encountered: