Signing Commits

35 views
Skip to first unread message

Roberto Cortez

unread,
Mar 14, 2022, 3:40:05 PM3/14/22
to smal...@googlegroups.com
Hi everyone,

In the next few days, we will require signing commits to contribute to SR Projects.

If you don’t have that setup, you can do it following the instructions here:

We hope that this will improve our security and make sure that the author matches the contributor.

Thanks!

Cheers,
Roberto

Ladislav Thon

unread,
Mar 15, 2022, 3:33:56 AM3/15/22
to SmallRye
How about we didn't? Key management is a massive pain. I know of projects that require `git commit -s`, but this is the first time I hear of someone requiring `git commit -S`.

LT

po 14. 3. 2022 v 20:40 odesílatel 'Roberto Cortez' via SmallRye <smal...@googlegroups.com> napsal:
--
You received this message because you are subscribed to the Google Groups "SmallRye" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smallrye+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/smallrye/18529A00-9D96-463B-B107-6291657218D9%40yahoo.com.
Message has been deleted
Message has been deleted

Roberto Cortez

unread,
Mar 15, 2022, 7:31:04 AM3/15/22
to smal...@googlegroups.com
No need to add -S, just the global setting `git config --global commit.gpgsign true` is enough.

Plus the signing key:

There are some increasing reports of GH phishing attempts, so I think we should add this extra layer of security.

I set up mine some time ago and it was a one-time thing.

Is this doable for you?

Cheers,
Roberto

Ladislav Thon

unread,
Mar 15, 2022, 7:52:22 AM3/15/22
to SmallRye
Hi,

út 15. 3. 2022 v 12:31 odesílatel 'Roberto Cortez' via SmallRye <smal...@googlegroups.com> napsal:
No need to add -S, just the global setting `git config --global commit.gpgsign true` is enough.

yea I know, I was just pointing out that there are two different ways of "signing" commits, and while I've seen one of them to be required by some projects, I haven't yet seen a requirement of the other.
 
Plus the signing key:

There are some increasing reports of GH phishing attempts, so I think we should add this extra layer of security.

I set up mine some time ago and it was a one-time thing.

Yea that's not a problem. I actually have a GPG key, but when I migrate to a new laptop, I'll probably lose it, just like I already lost several keys, because, ugh, they are just a pain. I'm happy enough that I'm able to keep my SSH key :-) I admit I'm terrible at security and in general try to stay away from private key cryptography if at all possible.

I uploaded my public key to GitHub and configured Git to sign the commits. Let's see how [long] it works :-)

LT
 

Julien Ponge

unread,
Mar 15, 2022, 8:54:13 AM3/15/22
to 'Roberto Cortez' via SmallRye
I’ve enabled this last week on Mutiny 😃

Roberto Cortez

unread,
Mar 15, 2022, 12:42:19 PM3/15/22
to smal...@googlegroups.com

Ladislav Thon

unread,
Mar 16, 2022, 11:58:18 AM3/16/22
to SmallRye
Are you seriously asking why everyone hasn't been GPG-signing their emails for more than 2 decades? :-)

At least from my perspective, user-friendliness is not that big of a deal. Key management and establishing trust are. (The 2nd issue is not a problem, because GitHub is centralized and there's no need to establish a web of trust. The 1st issue remains.)

LT

st 16. 3. 2022 v 13:30 odesílatel Martin Stefanko <xstef...@gmail.com> napsal:
Well, truthfully, I don't understand how anyone is not using this already. And I just set up the key once and then run `git config --global commit.gpgsign true` and I didn't touch it since then. And why? --> https://github.com/xstefank/smallrye-fault-tolerance/commit/d0bc50d85962da34ae560964d0d26f905f73d784 ;).

Martin

Reply all
Reply to author
Forward
Message has been deleted
0 new messages