Signing git commits for swag and profit
Every developer loves swag. No exception. Almost every developers
siting around me in office has some stickers on their shine
laptops. Most of them has cool tshirts collected on conferences or
meetups. Oh yeah! We, developers, love swag. There is even site where
you can buy cool stuff for developer -
DevSwag.com. Today I will show you, dear
reader, some gitswag
.
Who doesn’t want to be verified
as git commit author?
git loves gnupg
git works nicely with
GnuPG. It allows to sign and verify commits and
other git objects. But swag is only a side-effect. If you are not
signing commit basically everyone can set your name and email is its
git config
. Signature is the ultimate proof that you are author of
this change.
First you need to generate your key. It is easy, just use gpg
--full-generate-key
and pass couple of information. When your key is
ready upload it to your Github
account. To make sure your
copy-paste all without any crap run this command gpg --armor export
your-key-id | pbcopy
(but keep in mind that pbcopy
is OSX specific).
Now you can sign your commit with git commit -S
option. But it is
super easy to forget about -S
when commiting. That’s why I added to
my git config
entries that will sign every commit I made.
git config user.signingKey you-key-id
git config commit.gpgsign true
Done! Now every commit will be signed.
But there are some drawbacks. Signing every commit means that after
you type you commit message you will be asked to type password for you
key. It is very annoying when you are performing git rebase master
because you will be asked for password for every commit that is not in
master
branch. There are some options to remember your passphrase
but honestly I think it is a no-no.
You can always verify commit you just pulled with git verify-commit