The Commit Object commit size tree c4ec5 parent a149e author Justin committer Matt Commit Message Commit Message Git commit object from the git book. Many of these properties are determined by the code.
Git Forgery :: Useful fix a spelling error without losing authorship information give credit for a code change when it is submitted via patch give credit where it is due, even if the author is not using your vcs
Git Forgery :: Juvenile insert subtle mispellings and make tofumatt the author change blame info so QA will file the bugs for someone else troll your coworkers. tofumatt -- http://mozillamemes.tumblr.com/post/19334029048/ tofumatt-gives-you-a-pep8-lesson
Crypto to the rescue Crypto fundamentals are beyond the scope of this lightning talk. Also, I lack a beard sufficient to give me credibility when explaining it.
Set up GPG ...or some other PGP. Whatever. Use GPG. First thing is first: Pretty Good Protection: * Used for signing, encrypting, and decrypting texts (commonly e-mail) * Created in 1991 by Phil Zimmermann for secure messaging on BBS's * minimum 128 bits or greater security * The US Government considered it a weapon, Schneier called it close to Military grade. * Several proprietary implementations have been made * OpenPGP is a standard under active development and GNU Privacy Guard (GPG) is a widely used, open source implementation.
> gpg --gen-key defaults are probably secure enough. do not lose your passphrase. Then? you can use this key for all sorts of crypto, mostly variants on the original idea -- signing documents. email. your will. git commits.
one key endorses another builds a decentralized “web of trust” associates you and your key helpful, but not strictly necessary Key Signing? key signing can give more confidence in your signature. beyond the scope of this talk, I think, but in case: * `gpg --fingerprint KeyID` * Meet face to face, verify each other's IDs * retrieve each other's public keys (keyserver? public posting?) * Check the fingerprint against the key `gpg --recv-keys KeyID` `gpg --fingerprint KeyID` * IFF the key matches the fingerprint you were given, sign it * email to the key owner * `gpg --export -a KeyID | mail -s "Your signed key" [email protected]'`
What about GIT? [user] signingkey = Glad you asked. Crack open your git config and add: at this point you should have the key-id you just generated. let git know what key to use. .git/config or ~.gitconfig
What about GIT? Now, instead of: Use: `git tag -a tag_name sha` `git tag -s tag_name sha` alternatively, use `-u tags can point to any object, usually commits
Should I sign every commit then? probably not. any commits reachable from the signed object (in the linear history of most Moz projects, this means commits before but not after) can be trusted because they cannot be altered without breaking the signature on the object.
Should I sign every commit then? probably not. (The Socorro team signs release tags only.) signing everything adds little extra security, introduces extra complexity, could potentially mess with your workflow. Make signing releases part of your release process and you’ll get most of the coverage.
Verification Export your key to share: $ gpg --armor --export > pubKey $ gpg import pubKey Import someone else’s key: $ gpg --list-keys Make sure you’ve got it: you will need the other person’s gpg key to verify any signatures
Verification (Optional) Sign it: $ gpg --edit-key [email protected] Command> fpr Command> sign you sure? Command> y enter passphrase: Command> quit Save changes? y export the key and send it back after signing?
Verification $ git tag -v v2.5 object 2cf3b9cdfc4635b46c5c2d9405ed85ef10969e9f type commit tag v2.5 tagger Lonnen 1331229724 -0800 bug 733931 - push 2.5 release gpg: Signature made Thu Mar 8 10:02:55 2012 PST using RSA key ID D3F36BCF gpg: Good signature from "Chris Lonnen (Knight Errant) " -or- $ git log --show-signature requires having the correct public key in your GPG keychain to verify the signature.
niftycorp
deepu105
rdmueller
tomokusaba
knr109
irof
ivargrimstad
philipschwarz
morikann
assu_ming
doggy
tammyeverts
jrom
gr2m
marktimemedia
kneath
keavy
kastner
smashingmag
sachag
reverentgeek
marcduiker
deanohume