Git has a great feature to prevent fraudulent commits, especially in public repositories.
You can signed a commit with a PGP compatible tool (GnuPG is probably the most common).
This is great when you’re using the command line tools, just do a git commit -s
and you’re good to go.
If you’re like a lareg number of developers, you’re using an IDE of some sort for your heavy coding days.
I’m a particular fan of the various Jetbrains IDEs: PyCharm, WebStorm, RubyMine, etc.
There’s a pretty full featured git integration available for all of these and while I still use the command line somewhat often, it’s nice to be able to hit ⌘k
and commit from the IDE.
There’s currently no option to sign a particular commit from the IDE (there’s Sign-Off but that just adds a line to the commit message).
However, you can set things up to sign all of your commits, but there are a couple of gotchas.
Here’s a quick walkthrough of the process.
-
Install GnuPG. Ok, this is more of a pre-requisite, so it’s up to you to do this one your own.
-
Create a key for signing. There are lots of tutorials on this process, so again, left as an exercise for the reader. Note your key ID, you can get it with:
That 0F40BD647EFF33D6
is your key ID.
- Configure git to allow signing. Use
git --global --add commit.gpgsign true
, etc. to configure the following, with your values substituted.
- Configure GnuPG to use a graphical agent to prompt for passwords. This goes in your
~/.gnupg/pgp.conf
file which probably lives in a slightly different location on Windows.
- Commit a change in your IDE. I always select the Sign-Off option as well. You should be prompted for your GnuPG password. Once you’ve committed, you can double check that it worked with the command line. This example shows a commit without a signature and one with a signature.