[guardian-dev] signing git commits with gpg
Hans-Christoph Steiner
hans at guardianproject.info
Tue Feb 12 14:29:32 EST 2013
On 02/12/2013 02:25 PM, Jacob Appelbaum wrote:
> Hans-Christoph Steiner:
>>
>> Here's a nice, thorough article that goes thru the problems of gpg-signing git
>> commits and verifying them in a useful way:
>>
>> http://mikegerwitz.com/docs/git-horror-story.html
>>
>> Has anyone integrated commit signing into their workflow? I'm specifically
>> interested to hear about aiding some kind of auditing.
>>
>
> I sign tags for torsocks, TorBirdy and tlsdate. It is pretty straight
> forward. I'd move to signing commits if I was using a hardware dongle
> that wasn't absolutely horrible.
Yeah, at this point, I think that signing tags in git is essential. But it
seems that signing each commit is easy to do, but there isn't really tools to
use those per-commit signatures.
.hc
More information about the Guardian-dev
mailing list