[guardian-dev] signing git commits with gpg

Hans-Christoph Steiner hans at guardianproject.info
Tue Feb 12 14:29:32 EST 2013

On 02/12/2013 02:25 PM, Jacob Appelbaum wrote:
> Hans-Christoph Steiner:
>> Here's a nice, thorough article that goes thru the problems of gpg-signing git
>> commits and verifying them in a useful way:
>> http://mikegerwitz.com/docs/git-horror-story.html
>> Has anyone integrated commit signing into their workflow?  I'm specifically
>> interested to hear about aiding some kind of auditing.
> I sign tags for torsocks, TorBirdy and tlsdate. It is pretty straight
> forward. I'd move to signing commits if I was using a hardware dongle
> that wasn't absolutely horrible.

Yeah, at this point, I think that signing tags in git is essential.  But it
seems that signing each commit is easy to do, but there isn't really tools to
use those per-commit signatures.


More information about the Guardian-dev mailing list