[Mailman-Developers] Signing commits with gpg
Abhilash Raj
maxking at asynchronous.in
Tue Oct 24 16:52:46 EDT 2017
Hi All,
Gitlab now supports verification of commit signatures and it would be
awesome if we start signing commits. It is a relatively painless process
and happens automatically with little configuration.
Spoofing authors in git is quite easy, actually provided as a command
line option (--author, --reset-author), and I believe it would be a good
practice to sign all the commits (even outside of Mailman).
Here are steps for how you can do that:
1. Add your public key to Gitlab (https://gitlab.com/profile/gpg_keys)
2. Commit with `-S` (capital S)
Here is the relevant section of `.gitconfig` to auto-sign every commit
you make (no need for step 2 if you do this):
```
[user]
name = Abhilash Raj
email = raj.abhilash1 at gmail.com
signingkey = 541EA0448453394FF77A0ECC9D9B2BA061D0A67C
[commit]
gpgsign = true
```
Once you have pushed a signed commit to Gitlab and have uploaded your
gpg public key, you will see a green "Verified" button alongside every
commit. (See
https://gitlab.com/maxking/mailman/commits/msapiro/mailman-pending)
--
Abhilash Raj
maxking at asynchronous.in
More information about the Mailman-Developers
mailing list