[guardian-dev] signing git commits with gpg

Hans-Christoph Steiner hans at guardianproject.info
Fri Feb 15 12:53:43 EST 2013



On 02/15/2013 12:02 PM, Abel Luck wrote:
> Hans-Christoph Steiner:
>>
>>
>> On 02/12/2013 02:25 PM, Jacob Appelbaum wrote:
>>> Hans-Christoph Steiner:
>>>>
>>>> Here's a nice, thorough article that goes thru the problems of gpg-signing git
>>>> commits and verifying them in a useful way:
>>>>
>>>> http://mikegerwitz.com/docs/git-horror-story.html
>>>>
>>>> Has anyone integrated commit signing into their workflow?  I'm specifically
>>>> interested to hear about aiding some kind of auditing.
>>>>
>>>
>>> I sign tags for torsocks, TorBirdy and tlsdate. It is pretty straight
>>> forward. I'd move to signing commits if I was using a hardware dongle
>>> that wasn't absolutely horrible.
>>
>> Yeah, at this point, I think that signing tags in git is essential.  But it
>> seems that signing each commit is easy to do, but there isn't really tools to
>> use those per-commit signatures.
>>
> The major beef I've got with commit signing is that commits are lost in
> a rebase, even if the rebase just reorders commits.
> 
> Perhaps if git prompted you to resign the commits, that would be better,
> but it doesn't.
> 
> My private workflow involves lots of rebasing. I could sign each final
> commit I push to the public, but I don't because I don't know how to
> retroactively sign commits.

Yeah, this is a good example of how signing commits isn't really fully
supported yet in the whole workflow.  It might be possible to go back and sign
commits with a filter, but I haven't tried that.

.hc


More information about the Guardian-dev mailing list