I've been signing my Git commits since 2020, and it's one of those security practices that seems optional until you realize how easy it is for some...
For further actions, you may consider blocking this person and/or reporting abuse
Doesn't linking git to GH via ssh through the gh-cli automatically do this already or is linking it manually different?
Linking git to GH via ssh is needed to authenticate you with GitHub. That's how it determines if you have various rights wrt any repository.
I think, what @nickytonline is talking about is establishing authenticity, integrity and non-repudiation of each commit. No one can misuse your email and impersonate a commit if you sign all your commits.
Exactly Rajesh. Well said and thanks for reading my post!
I wasn’t aware of the GitHub CLi doing this. TIL!
Don't take my word for it. All I know is that the gh CLI let's you sign your local Git from your GitHub account via SSH as how I understand it, I'm only asking if it's the same as signing with a GPG key like you showed.
This is the method I always use to link my Git account to GitHub via SSH but if GPG is different I'll take the time to reauthenticate my accounts.
It’s probably different because GPG can be for more than just signing got commits. Will dig in though as I use the GH CLI all the time.
I see now. Thank you for the clarification.
Useful guide!
Thank you
Excellent write-up 👏 — most devs don’t realize how easy it is to spoof commits until it happens.
GPG signing really is the “HTTPS moment” for Git commits — optional now, essential later.
Love how you broke it down step-by-step (especially the macOS GPG Keychain part).
Bookmarking this for every new repo setup. 🔒💻
Thanks for giving it a read Shemith!
Thanks for sharing — good OSS practice!
You’re welcome Asher!
Ou sou cool
Wow, have never considered this at all. It looks unnecessary but it's actually important during contributions. I like how you expatiated the need and also show us how to register and start using it.
From what I realise about your perspective, "gpg" is a seperate application we can integrate with git to GitHub interaction, and it is easy and better for developer.
Thanks any. Will do more rest about it.
What about open source projects? Everyone must be forced to use signed commits on your repo?
They don't have to necessarily. It's up to the maintainers of the project.
Excellent write-up ; clear, practical, and much needed for dev security hygiene.
Thanks Balasaranya!
It's soo amazing !
Thanks Gogogo!
Amazing tips.
You’re welcome Nelson!
Super clear guide...
Super clear and actionable....
Great article! Love learning something new from another old timer :)