You should sign your commits

why would I do that?

Verified

git without commit signing

git with commit signing

git with enforced commit signing

signing commits verifies the author

What's the deal with keys?

How do we do this?

• Generate Keys (1 per identity)
• Generate Subkey (per device)
• Backup Keys
• Delete master keys from device(s)
• Configure git
• Share public keys

gpg --full-generate-key kind: (4) RSA (sign only) keysize: 4096 valid for: 1y

gpg --list-keys youremail@example.org gpg --edit-key YOURMASTERKEYID addkey RSA (sign only) / 4096 / 1y save

gpg --export --armor --output public.key youremail@example.org gpg --export-secret-keys --armor --output secret.key youremail@example.org

gpg -K gpg --delete-secret-key YOURMASTERKEYID

(don't delete the subkey when prompted)

gpg -K

(your private key should show sec# instead of just sec now)

.gitconfig

[user]
  signingKey = SUBKEYID!
[commit]
  gpgsign = true
                

Get your subkey ids with:

gpg --list-keys --keyid-format long

This is the last slide