Article: http://mikegerwitz.com/papers/git-horror-story

Theory
------
- faking other user's commits is easy with --author flag
`$ git commit --author='Foo Bar <foo@bar.com>' -m 'some commit'`

- signing commits ensures:
  - someone else can't commit as myself
  - I really commited all the commits I sign

Commands
--------

*list gpg keys*
`$ gpg --list-secret-keys`

sec   4096R/8EE30EAB 2011-06-16 [expires: 2014-04-18]
            ^^^^^^^^

- sec line, highlighted letters should be taken

*specify gpg key with git*
`$ git config --global user.signingkey 8EE30EAB`


*commit and sign a commit*
`$ git commit -S -m 'msg'`
- it's just the `-S` flag
- it will prompt for gpg key password

- showing commit signatures
`$ git log --show-signature`
- with this - git authomatically check whether the signature is good!

log --pretty=format flag: `%G?`


*signed tag*
`$ git tag -s v1.0.0 -m 'msg'`

- to verify the tag
`$ git tag -v v1.0.0`

*reviewing and signing each commit*
- commit author is not changed!
- commit SHAs will change!

1. rebase
`$ git rebase -i HEAD~x`

2. set all commits to `e` or `edit`

3. reviewing a commit
  - `$ git diff HEAD^`

4. signing a commit (again, does not change commit author)
`$ git commit -S --amend -C HEAD`

5. continue till the end
`$ git rebase --continue`

*signing a merge*
- to assert I'm the one that performed a merge
- does not assert integrity of each commit

`$ git merge -S --no-ff`