Hey everybody, do any of you guys have any experience with PGP-signing in Git?
There's good reasons
to sign your code, especially if you're planning to share your code with the world, and it's simple enough to set up - there's a zillion blog posts regurgitating the bare basics. I could of course just generate a 4096-bit RSA key and be done with it, but I guess I'm looking for more of a dos and don'ts or personal experience kind of thing, especially related to key management.
Since it's what people seem to do, I'm planning on using GNU Privacy Guard.
So, should I have one keypair for "everything" (signing in Git as well as email, if needed, and other encryption purposes), or is it better to have separate keypairs? Or signing keypair as a subkey? Any thoughts on keypair properties (e.g., RSA for the master, DSA signing-only key, expiration dates of master and subkeys, ...)? Anything else (GPG is a clusterfuck UX-wise, and has a lot of knobs you can play with)?
I'm pretty sure master + subkey is the way to go, and setting up is described decently enough
, I guess - even if the dance seems elaborate.
As for the signing process itself, for the project at hand, I'll probably go with only signing tags - I'll be the only one committing to the repository (merging pull requests, should any ever appear), and I prefer signing to be a conscious, reviewed activity.