Git can be easily hacked to alter the integrity of the respository. Changing author details and code history are just a rebase away.
$ git commit --author Linus Torvalds <firstname.lastname@example.org>
To validate commits and tags you can sign them with GPG keys. GPG allows you to encrypt and sign messages/data using a pair of keys: public which can be shared over the internet and a private key, that you keep safe on your machine.
You can use Keybase for managing your GPG keys. This is apart from the functionality it provides, like encrypted messaging and file sharing.
You will need GPG and Keybase installed to get started. If you are on macOS you can use Homebrew. You will also need an account on keybase.io. This needs an invite to sign up and I’ve a bunch of invites in my account, so hit me up on Twitter if you need to one.
$ brew install gpg keybase $ keybase login
Once you have your Keybase account setup and all the dependencies installed you will need pull your private and secret keys from Keybase into local installation of GPG.
$ keybase export | gpg --import $ keybase export -s | gpg --import
There should be two keys added in GPG under the email address used for Keybase and you check them using
gpg --list-keys. Now you need to update the user details using
adduid. Make sure to add a comment if both Keybase and GitHub email address are same.
$ gpg --edit-key email@example.com gpg > adduid Real Name: Bassam Ismail Email address: firstname.lastname@example.org Comment: Github
You will need to tell Git to use the recently generated GPG keys. This can be done by setting the
siginingkey to the public key SHA pulled from Keybase. To check the SHA use
$ gpg --list-keys /Users/skippednote/.gnupg/pubring.gpg ------------------------------------- pub D093R/V2A067X 2016-07-21 uid [ unknown] Bassam Ismail <email@example.com> uid [ unknown] Bassam Ismail (Bassam's macbook pro) <firstname.lastname@example.org> sub *****/******** 2016-07-21 [expires: 2024-07-19] sub *****/******** 2016-07-21 [expires: 2024-07-19]
Use the hash followed by
/ in the public key to set the
$ git config --global user.siginingkey V2A067X
To sign commits you will need to use the
-s flag when creating commits and tags.
$ git commit -S -m "Feature 1: Add new page" $ git tag -s "Release v1"
You can verify if your commits has been signed by checking the log with the
--show-signature flag or use the GitHub UI.