[guardian-dev] signing git commits with gpg

Abel Luck abel at guardianproject.info
Fri Feb 15 12:02:41 EST 2013


Hans-Christoph Steiner:
> 
> 
> On 02/12/2013 02:25 PM, Jacob Appelbaum wrote:
>> Hans-Christoph Steiner:
>>>
>>> Here's a nice, thorough article that goes thru the problems of gpg-signing git
>>> commits and verifying them in a useful way:
>>>
>>> http://mikegerwitz.com/docs/git-horror-story.html
>>>
>>> Has anyone integrated commit signing into their workflow?  I'm specifically
>>> interested to hear about aiding some kind of auditing.
>>>
>>
>> I sign tags for torsocks, TorBirdy and tlsdate. It is pretty straight
>> forward. I'd move to signing commits if I was using a hardware dongle
>> that wasn't absolutely horrible.
> 
> Yeah, at this point, I think that signing tags in git is essential.  But it
> seems that signing each commit is easy to do, but there isn't really tools to
> use those per-commit signatures.
> 
The major beef I've got with commit signing is that commits are lost in
a rebase, even if the rebase just reorders commits.

Perhaps if git prompted you to resign the commits, that would be better,
but it doesn't.

My private workflow involves lots of rebasing. I could sign each final
commit I push to the public, but I don't because I don't know how to
retroactively sign commits.

~abel


More information about the Guardian-dev mailing list