Sign commits on GitHub
Signing Commit on Tags on GitHub
I've recently set-up keybase and integrated my public key with git to be able to sign commits.
I decided to not automatically sign, as auto-signing would allow any attacker
that takes control of my machine to create signed commit. The git Merkle
tree of git still insure repos are
not tampered with, as long as you issue
$ git fsck --full on a repo or
config --global transfer.fsckobjects true once and forget it.
$ git log --show-signatur you can now check that commits (and tags) are
correctly signed. Be careful though, correct signature does not mean trusted,
and if you have a PGP key set; GitHub will helpfully signed the commit you make
on their platform with their key.
* commit 5ced6c6936563fea7ba7efccecbc4248d84cfabb (tag: 5.2.1, origin/5.2.x, 5.2.x) | gpg: Signature made Tue Jan 2 19:51:17 2018 CET | gpg: using RSA key 99B17F64FD5C94692E9EF8064968B2CC0208DCC8 | gpg: Good signature from "Matthias Bussonnier <firstname.lastname@example.org>" [ultimate] | Author: Matthias Bussonnier <email@example.com> | Date: Tue Jan 2 19:49:34 2018 +0100 | | Bump version number to 5.2.1 for release | * commit 5a28fb0a121c286e35db309fe11b53693969b2d6 |\ gpg: Signature made Tue Jan 2 13:58:08 2018 CET | | gpg: using RSA key 4AEE18F83AFDEB23 | | gpg: Good signature from "GitHub (web-flow commit signing) <firstname.lastname@example.org>" [unknown] | | gpg: WARNING: This key is not certified with a trusted signature! | | gpg: There is no indication that the signature belongs to the owner. | | Primary key fingerprint: 5DE3 E050 9C47 EA3C F04A 42D3 4AEE 18F8 3AFD EB23 | | Merge: 3fd21bc 065a16a | | Author: Min RK <email@example.com> | | Date: Tue Jan 2 13:58:08 2018 +0100 | | | | Merge pull request #326 from jupyter/auto-backport-of-pr-325 | | | | Backport PR #325 on branch 5.2.x | | | * commit 065a16aad2e84d506b36bb2c874a7c287c53c61f (origin/pr/326) |/ Author: Min RK <firstname.lastname@example.org> | Date: Tue Jan 2 10:57:13 2018 +0100 | | Backport PR #325: Parenthesize conditional requirement in setup.py
So in the previous block, you can see that
5ced6c6... have been done and
signed by me, while
5a28fb0... has be allegedly done by Min, but signed by
By default you do not have GitHub Signature locally, so the GitHub Signed commits can appear as unverified.
To do so fetch the GitHub Key:
$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 4AEE18F83AFDEB23
4AEE18F83AFDEB23 is the key you do not have locally.
And remember Valid Signature, does not mean trusted.
Tags can be signed, and need to be checked independently of commits :
$ git tag --verify 5.2.1 object 5ced6c6936563fea7ba7efccecbc4248d84cfabb type commit tag 5.2.1 tagger Matthias Bussonnier <email@example.com> 1514919438 +0100 release version 5.2.1 gpg: Signature made Tue Jan 2 19:57:18 2018 CET gpg: using RSA key 99B17F64FD5C94692E9EF8064968B2CC0208DCC8 gpg: Good signature from "Matthias Bussonnier <firstname.lastname@example.org>" [ultimate]
So you can check that I tagged this commit.
As usual the git documentation
has more to say about this. And signing is not really useful without checking
the integrity of Git history, so please set
$ git config --global transfer.fsckobjects true as well !