vcs:commit-signing
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
vcs:commit-signing [2021/04/01 04:48] – add install instructions for Linux distros; grammar bishop | vcs:commit-signing [2021/04/01 16:48] (current) – improve documentation around key expiration bishop | ||
---|---|---|---|
Line 64: | Line 64: | ||
Use the package manager available in your OS. See also the [[https:// | Use the package manager available in your OS. See also the [[https:// | ||
- | == MacOS with Homebrew | + | == Recent versions of OS and distributions |
- | < | + | ^ OS / Distribution ^ Command(s) ^ |
- | $ brew install gpg | + | | macOS with Homebrew | '' |
- | </ | + | | Ubuntu, Debian, Mint, Kali | '' |
+ | | CentOS, Fedora, RHEL | '' | ||
- | == Ubuntu, Debian, Mint and Kali == | + | == Older releases |
- | < | + | ^ OS ^ Command(s) ^ |
- | $ sudo apt install gnupg | + | | Ubuntu 18.04LTS | '' |
- | </code> | + | |
- | + | ||
- | == CentOS, Fedora, and RHEL == | + | |
- | + | ||
- | < | + | |
- | $ sudo yum install | + | |
- | </ | + | |
=== Update start-up files === | === Update start-up files === | ||
- | These instructions assume you're using Zsh. If you're using a different shell, replace '' | + | These instructions assume you're using Zsh. If you're using a different shell, replace '' |
< | < | ||
Line 110: | Line 104: | ||
==== Step 2 of 7: Generate a new, unique GPG signing key ==== | ==== Step 2 of 7: Generate a new, unique GPG signing key ==== | ||
- | With GPG installed and operational, | + | With GPG installed and operational, |
- | You will need to choose | + | In the examples that follow, replace references to "Your Name" with your full name; replace " |
+ | |||
+ | You will be prompted | ||
=== From a macOS/ | === From a macOS/ | ||
Line 123: | Line 119: | ||
Name-Real: Your Name | Name-Real: Your Name | ||
Name-Email: you@php.net | Name-Email: you@php.net | ||
- | Passphrase: enter-a-strong-password-here-and-save-it-in-a-password-manager | ||
') | ') | ||
</ | </ | ||
+ | |||
+ | Note that this creates an immortal key. See the section " | ||
==== Step 3 of 7: Get the key ID ==== | ==== Step 3 of 7: Get the key ID ==== | ||
Line 210: | Line 207: | ||
* If that doesn' | * If that doesn' | ||
- | Now, we have a signed tag. We'll push this up to GitHub to ensure we can see that it's a verified tag: | + | Now, we have a signed tag. We can verify that in the git log: |
+ | |||
+ | < | ||
+ | $ git show --show-signature " | ||
+ | tag myusername-1599166378-6517-signature-test | ||
+ | Tagger: Your Name < | ||
+ | Date: Tue Aug 25 16:42:17 EDT 2020 | ||
+ | |||
+ | Temporary tag for testing signing | ||
+ | -----BEGIN PGP SIGNATURE----- | ||
+ | ABCD...=== | ||
+ | -----END PGP SIGNATURE----- | ||
+ | </ | ||
+ | |||
+ | We'll push this temporary tag to GitHub to check that GitHub recognizes the signature: | ||
< | < | ||
Line 222: | Line 233: | ||
</ | </ | ||
- | Let's go check that it's verified on GitHub. Navigate | + | Now, navigate |
Near the top of the list you'll see the recently pushed tag and off to the right there should be green text of " | Near the top of the list you'll see the recently pushed tag and off to the right there should be green text of " | ||
Line 238: | Line 249: | ||
$ git tag --delete " | $ git tag --delete " | ||
</ | </ | ||
+ | |||
===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
Line 315: | Line 327: | ||
git config --list | git config --list | ||
</ | </ | ||
+ | |||
+ | |||
+ | ===== Frequently Asked Questions ===== | ||
+ | |||
+ | ==== Can I sign commits using VSCode, Emacs, PHPStorm, vim, or ${other_favorite_editor}? | ||
+ | |||
+ | Yes, probably. These IDE just pass down the git responsibility to the underlying tool chain, so if git is configured properly on the command line, it should work in your favorite IDE. However, you may need to configure GPG to use the native key chain instead of its default agent ('' | ||
+ | |||
+ | ==== What if I lose my key? ==== | ||
+ | |||
+ | Laptop stolen. Accidentally '' | ||
+ | |||
+ | ==== Do I need a passphrase? ==== | ||
+ | |||
+ | Yes. If your private key falls into the wrong hands, they' | ||
+ | |||
+ | ==== Should my key expire? ==== | ||
+ | |||
+ | This guide created an immortal key (see step 2), because //for this use case// [[https:// | ||
+ | |||
+ | As part of regular security hygiene, however, consider creating a new key and replacing the old one at GitHub annually. | ||
===== Advanced Setup ===== | ===== Advanced Setup ===== | ||
+ | |||
+ | ==== Configure more key options ==== | ||
+ | |||
+ | This guide created a unique key in batch mode, to simplify working through the steps. However, more key options are available, which can be entered interactively: | ||
+ | |||
+ | < | ||
+ | $ gpg --full-generate-key | ||
+ | </ | ||
+ | |||
+ | When doing this, make sure to select a key type of '' | ||
==== Extend the lifetime of cached passwords ==== | ==== Extend the lifetime of cached passwords ==== | ||
Line 359: | Line 402: | ||
The '' | The '' | ||
+ | |||
+ | ==== Always show signatures in logs ==== | ||
+ | |||
+ | To always display signatures in commit logs, you can configure git to always display them by default | ||
+ | |||
+ | < | ||
+ | git config --global log.showSignature true | ||
+ | </ | ||
===== Thanks ===== | ===== Thanks ===== | ||
This guide was adapted, with permission, from internal developer documentation at [[https:// | This guide was adapted, with permission, from internal developer documentation at [[https:// |
vcs/commit-signing.1617252528.txt.gz · Last modified: 2021/04/01 04:48 by bishop