please use signed git commits (and tags)

To: debian-devel@lists.debian.org
Subject: please use signed git commits (and tags)
From: Thomas Koch <thomas@koch.ro>
Date: Sun, 24 May 2015 13:02:38 +0200
Message-id: <[🔎] 7094846.o8fEMBCxiD@x121e>
Reply-to: thomas@koch.ro

== What

Git supports signing of commits since version 1.7.9. Everybody should sign git 
commits always.

== Why

- The haskell team has a git repository with tools that maintainers should 
clone and use. I cloned the repo. How should I trust all this scripts?

- Somebody wants to contribute to the packaging of something. She clones the 
repo and wants to run dpkg-buildpackage on it. There's no trust in 
debian/rules at this point.

- not debian related: http://mikegerwitz.com/papers/git-horror-story

== How

- Tell git what key to use:

git config --global user.signingkey $YOURKEYID

- sign one commit: git commit --gpg-sign

- always sign all commits:

git config --global commit.gpgsign true

- Verifiy commits

git log --show-signature

- http://git-scm.com/book/es/v2/Git-Tools-Signing-Your-Work

Thank you,

Thomas Koch

Reply to:

Follow-Ups:
- Re: please use signed git commits (and tags)
  - From: "Iain R. Learmonth" <irl@fsfe.org>
- Re: please use signed git commits (and tags)
  - From: "Mathieu Parent (Debian)" <sathieu@debian.org>
- Re: please use signed git commits (and tags)
  - From: Vincent Danjean <vdanjean.ml@free.fr>
- Re: please use signed git commits (and tags)
  - From: md@Linux.IT (Marco d'Itri)
- Re: please use signed git commits (and tags)
  - From: Thomas Koch <thomas@koch.ro>

Prev by Date: Bug#786636: ITP: tap.py -- TAP producer/consumer tools for Python unittest
Next by Date: Re: please use signed git commits (and tags)
Previous by thread: Bug#786636: ITP: tap.py -- TAP producer/consumer tools for Python unittest
Next by thread: Re: please use signed git commits (and tags)
Index(es):
- Date
- Thread