Because after reading this article (sent by my dear friend @hugobessaa) I got paranoid. It's a little effort that can avoid a lot of trouble.
- User changes the commit author using the
--authoroption - The commit then introduces a new bug (blaming the new author)
- Crackers explore this breach 💀
- An audit will not be able to identify who was the commit author
Since Git 1.7.2, one can sign commits usign their own GPG key.
- Install
gpg. You can install it from Homebrew:
$ brew install gpg- Generate a fresh key:
$ gpg --gen-key # Default options are fine- Run gpg
--list-secret-keysand copy the code after the first/. Something like this:
$ gpg --list-secret-keys
/Users/your-user/.gnupg/secring.gpg
---------------------------------------
sec XXXXX/YYYYYYYY 2015-01-01
uid Your Name (Your Comment) <[email protected]>
ssb XXXXX/ZZZZZZZZ 2015-01-01
# What you want is that YYYYYYYY- Register your key to your Git configuration file:
$ git config --global user.signingkey your-key- You can now sign commits by using
git commit -S. You might want to add it as an alias to your.gitconfig:
[alias]
commit = commit -S- Profit 💰