Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
signing git commits - cheat sheet

Article: http://mikegerwitz.com/papers/git-horror-story

Theory

  • faking other user's commits is easy with --author flag $ git commit --author='Foo Bar <foo@bar.com>' -m 'some commit'

  • signing commits ensures:

    • someone else can't commit as myself
    • I really commited all the commits I sign

Commands

list gpg keys $ gpg --list-secret-keys

sec 4096R/8EE30EAB 2011-06-16 [expires: 2014-04-18] ^^^^^^^^

  • sec line, highlighted letters should be taken

specify gpg key with git $ git config --global user.signingkey 8EE30EAB

commit and sign a commit $ git commit -S -m 'msg'

  • it's just the -S flag

  • it will prompt for gpg key password

  • showing commit signatures $ git log --show-signature

  • with this - git authomatically check whether the signature is good!

log --pretty=format flag: %G?

signed tag $ git tag -s v1.0.0 -m 'msg'

  • to verify the tag $ git tag -v v1.0.0

reviewing and signing each commit

  • commit author is not changed!
  • commit SHAs will change!
  1. rebase $ git rebase -i HEAD~x

  2. set all commits to e or edit

  3. reviewing a commit

  • $ git diff HEAD^
  1. signing a commit (again, does not change commit author) $ git commit -S --amend -C HEAD

  2. continue till the end $ git rebase --continue

signing a merge

  • to assert I'm the one that performed a merge
  • does not assert integrity of each commit

$ git merge -S --no-ff

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.