vcs:commit-signing
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
vcs:commit-signing [2021/04/01 04:28] – created bishop | vcs:commit-signing [2021/04/01 16:48] (current) – improve documentation around key expiration bishop | ||
---|---|---|---|
Line 58: | Line 58: | ||
==== Step 1 of 7: Install GPG ==== | ==== Step 1 of 7: Install GPG ==== | ||
- | Modern versions of Git, versions 2.2 or higher, use [[https:// | + | Modern versions of Git, versions 2.2 or higher, use [[https:// |
- | === MacOS with Homebrew === | + | === Install the GPG software === |
+ | |||
+ | Use the package manager available in your OS. See also the [[https:// | ||
+ | |||
+ | == Recent versions of OS and distributions == | ||
+ | |||
+ | ^ OS / Distribution ^ Command(s) ^ | ||
+ | | macOS with Homebrew | ||
+ | | Ubuntu, Debian, Mint, Kali | '' | ||
+ | | CentOS, Fedora, RHEL | '' | ||
+ | |||
+ | == Older releases | ||
+ | |||
+ | ^ OS ^ Command(s) ^ | ||
+ | | Ubuntu 18.04LTS | '' | ||
+ | |||
+ | === Update start-up files === | ||
+ | |||
+ | These instructions assume you're using Zsh. If you're using a different shell, replace '' | ||
< | < | ||
- | $ brew install gpg | ||
$ mkdir " | $ mkdir " | ||
$ chmod 700 " | $ chmod 700 " | ||
- | $ echo ' | + | $ >> " |
</ | </ | ||
- | |||
- | Note that these instructions assume you're using Zsh, the default shell in Catalina (10.15) and higher. If you're using an earlier version of macOS, a different terminal emulator (such as iTerm2), or if you have changed your default shell, replace .zshrc with your shell' | ||
- | |||
- | Note that macOS may require you to grant additional folder access to the Terminal app. Go to System Preferences > Security & Privacy > Privacy > Full Disk Access and click Terminal. | ||
=== Verify installation === | === Verify installation === | ||
Line 91: | Line 104: | ||
==== Step 2 of 7: Generate a new, unique GPG signing key ==== | ==== Step 2 of 7: Generate a new, unique GPG signing key ==== | ||
- | With GPG installed and operational, | + | With GPG installed and operational, |
+ | |||
+ | In the examples that follow, replace references to "Your Name" with your full name; replace " | ||
- | You will need to choose | + | You will be prompted |
=== From a macOS/ | === From a macOS/ | ||
Line 104: | Line 119: | ||
Name-Real: Your Name | Name-Real: Your Name | ||
Name-Email: you@php.net | Name-Email: you@php.net | ||
- | Passphrase: enter-a-strong-password-here-and-save-it-in-a-password-manager | ||
') | ') | ||
</ | </ | ||
+ | |||
+ | Note that this creates an immortal key. See the section " | ||
==== Step 3 of 7: Get the key ID ==== | ==== Step 3 of 7: Get the key ID ==== | ||
Line 191: | Line 207: | ||
* If that doesn' | * If that doesn' | ||
- | Now, we have a signed tag. We'll push this up to GitHub to ensure we can see that it's a verified tag: | + | Now, we have a signed tag. We can verify that in the git log: |
+ | |||
+ | < | ||
+ | $ git show --show-signature " | ||
+ | tag myusername-1599166378-6517-signature-test | ||
+ | Tagger: Your Name < | ||
+ | Date: Tue Aug 25 16:42:17 EDT 2020 | ||
+ | |||
+ | Temporary tag for testing signing | ||
+ | -----BEGIN PGP SIGNATURE----- | ||
+ | ABCD...=== | ||
+ | -----END PGP SIGNATURE----- | ||
+ | </ | ||
+ | |||
+ | We'll push this temporary tag to GitHub to check that GitHub recognizes the signature: | ||
< | < | ||
Line 203: | Line 233: | ||
</ | </ | ||
- | Let's go check that it's verified on GitHub. Navigate | + | Now, navigate |
Near the top of the list you'll see the recently pushed tag and off to the right there should be green text of " | Near the top of the list you'll see the recently pushed tag and off to the right there should be green text of " | ||
Line 219: | Line 249: | ||
$ git tag --delete " | $ git tag --delete " | ||
</ | </ | ||
+ | |||
===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
Line 296: | Line 327: | ||
git config --list | git config --list | ||
</ | </ | ||
+ | |||
+ | |||
+ | ===== Frequently Asked Questions ===== | ||
+ | |||
+ | ==== Can I sign commits using VSCode, Emacs, PHPStorm, vim, or ${other_favorite_editor}? | ||
+ | |||
+ | Yes, probably. These IDE just pass down the git responsibility to the underlying tool chain, so if git is configured properly on the command line, it should work in your favorite IDE. However, you may need to configure GPG to use the native key chain instead of its default agent ('' | ||
+ | |||
+ | ==== What if I lose my key? ==== | ||
+ | |||
+ | Laptop stolen. Accidentally '' | ||
+ | |||
+ | ==== Do I need a passphrase? ==== | ||
+ | |||
+ | Yes. If your private key falls into the wrong hands, they' | ||
+ | |||
+ | ==== Should my key expire? ==== | ||
+ | |||
+ | This guide created an immortal key (see step 2), because //for this use case// [[https:// | ||
+ | |||
+ | As part of regular security hygiene, however, consider creating a new key and replacing the old one at GitHub annually. | ||
===== Advanced Setup ===== | ===== Advanced Setup ===== | ||
+ | |||
+ | ==== Configure more key options ==== | ||
+ | |||
+ | This guide created a unique key in batch mode, to simplify working through the steps. However, more key options are available, which can be entered interactively: | ||
+ | |||
+ | < | ||
+ | $ gpg --full-generate-key | ||
+ | </ | ||
+ | |||
+ | When doing this, make sure to select a key type of '' | ||
==== Extend the lifetime of cached passwords ==== | ==== Extend the lifetime of cached passwords ==== | ||
Line 341: | Line 403: | ||
The '' | The '' | ||
- | ==== Thanks ==== | + | ==== Always show signatures in logs ==== |
+ | |||
+ | To always display signatures in commit logs, you can configure git to always display them by default | ||
+ | |||
+ | < | ||
+ | git config --global log.showSignature true | ||
+ | </ | ||
+ | |||
+ | ===== Thanks | ||
This guide was adapted, with permission, from internal developer documentation at [[https:// | This guide was adapted, with permission, from internal developer documentation at [[https:// |
vcs/commit-signing.1617251319.txt.gz · Last modified: 2021/04/01 04:28 by bishop