topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday December 5, 2024, 3:30 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Git and PGP commit/tag signing  (Read 6276 times)

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Git and PGP commit/tag signing
« on: February 03, 2016, 01:22 AM »
Hey everybody, do any of you guys have any experience with PGP-signing in Git?

There's good reasons to sign your code, especially if you're planning to share your code with the world, and it's simple enough to set up - there's a zillion blog posts regurgitating the bare basics. I could of course just generate a 4096-bit RSA key and be done with it, but I guess I'm looking for more of a dos and don'ts or personal experience kind of thing, especially related to key management.

Since it's what people seem to do, I'm planning on using GNU Privacy Guard.

So, should I have one keypair for "everything" (signing in Git as well as email, if needed, and other encryption purposes), or is it better to have separate keypairs? Or signing keypair as a subkey? Any thoughts on keypair properties (e.g., RSA for the master, DSA signing-only key, expiration dates of master and subkeys, ...)? Anything else (GPG is a clusterfuck UX-wise, and has a lot of knobs you can play with)?

I'm pretty sure master + subkey is the way to go, and setting up is described decently enough, I guess - even if the dance seems elaborate.

As for the signing process itself, for the project at hand, I'll probably go with only signing tags - I'll be the only one committing to the repository (merging pull requests, should any ever appear), and I prefer signing to be a conscious, reviewed activity.
- carpe noctem

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,775
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Git and PGP commit/tag signing
« Reply #1 on: February 05, 2016, 01:12 PM »
I just found out about Keybase.io which may be tangentially related to this question since it mentions signing code (or verifying code signed by others). I posted about it here.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Git and PGP commit/tag signing
« Reply #2 on: February 05, 2016, 04:26 PM »
Thanks, Deo, but I specifically want PGP/GPG signing since it has built-in support in Git and other tools in the ecosystem :)

Gotta check out Keybase at some point, though - I've heard other people mentioning it, but never got around to look at it. Not really sure what to think about the filesystem thing, I'm always wary of "free storage space" offerings - but the main keybase thing seems to be a public key discovery service, which could be useful.
- carpe noctem

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,775
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Git and PGP commit/tag signing
« Reply #3 on: February 06, 2016, 02:11 AM »
Thanks, Deo, but I specifically want PGP/GPG signing since it has built-in support in Git and other tools in the ecosystem :)

Gotta check out Keybase at some point, though - I've heard other people mentioning it, but never got around to look at it. Not really sure what to think about the filesystem thing, I'm always wary of "free storage space" offerings - but the main keybase thing seems to be a public key discovery service, which could be useful.


Yeah, it's probably not what you want for your git tag signing stuff, but just for clarity, Keybase uses GPG/PGP.  :Thmbsup:

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Git and PGP commit/tag signing
« Reply #4 on: February 10, 2016, 07:14 AM »
Right, I went with a signing subkey, and will be signing only tags unless somebody convinces me otherwise.

Keybase.io requires beta singup, *sigh*. I think I'm like number 20k in queue...
- carpe noctem