ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Other Software > Developer's Corner

Git and PGP commit/tag signing

(1/1)

f0dder:
Hey everybody, do any of you guys have any experience with PGP-signing in Git?

There's good reasons to sign your code, especially if you're planning to share your code with the world, and it's simple enough to set up - there's a zillion blog posts regurgitating the bare basics. I could of course just generate a 4096-bit RSA key and be done with it, but I guess I'm looking for more of a dos and don'ts or personal experience kind of thing, especially related to key management.

Since it's what people seem to do, I'm planning on using GNU Privacy Guard.

So, should I have one keypair for "everything" (signing in Git as well as email, if needed, and other encryption purposes), or is it better to have separate keypairs? Or signing keypair as a subkey? Any thoughts on keypair properties (e.g., RSA for the master, DSA signing-only key, expiration dates of master and subkeys, ...)? Anything else (GPG is a clusterfuck UX-wise, and has a lot of knobs you can play with)?

I'm pretty sure master + subkey is the way to go, and setting up is described decently enough, I guess - even if the dance seems elaborate.

As for the signing process itself, for the project at hand, I'll probably go with only signing tags - I'll be the only one committing to the repository (merging pull requests, should any ever appear), and I prefer signing to be a conscious, reviewed activity.

Deozaan:
I just found out about Keybase.io which may be tangentially related to this question since it mentions signing code (or verifying code signed by others). I posted about it here.

f0dder:
Thanks, Deo, but I specifically want PGP/GPG signing since it has built-in support in Git and other tools in the ecosystem :)

Gotta check out Keybase at some point, though - I've heard other people mentioning it, but never got around to look at it. Not really sure what to think about the filesystem thing, I'm always wary of "free storage space" offerings - but the main keybase thing seems to be a public key discovery service, which could be useful.

Deozaan:
Thanks, Deo, but I specifically want PGP/GPG signing since it has built-in support in Git and other tools in the ecosystem :)

Gotta check out Keybase at some point, though - I've heard other people mentioning it, but never got around to look at it. Not really sure what to think about the filesystem thing, I'm always wary of "free storage space" offerings - but the main keybase thing seems to be a public key discovery service, which could be useful.

-f0dder (February 05, 2016, 04:26 PM)
--- End quote ---

Yeah, it's probably not what you want for your git tag signing stuff, but just for clarity, Keybase uses GPG/PGP.  :Thmbsup:

f0dder:
Right, I went with a signing subkey, and will be signing only tags unless somebody convinces me otherwise.

Keybase.io requires beta singup, *sigh*. I think I'm like number 20k in queue...

Navigation

[0] Message Index

Go to full version