If you want to know why I started to do so, read on.
<!-- more -->
OpenPGP is a non-proprietary protocol for encrypting email communication using public key cryptography. It is based on the original PGP (Pretty Good Privacy) software. The OpenPGP protocol defines standard formats for encrypted messages, signatures, and certificates for exchanging public keys.
GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories.
There are three version in the wild: classic, stable & modern. All versions implement the OpenPGP protocol, so it doesn't really matter which one you use to generate keys.
classic (1.4) is the old, single binary version which may build even on ancient Unix platforms. It has no dependencies like the newer versions. However, it lacks many modern features.
stable (2.0) is the modularized version of GnuPG classic, supporting OpenPGP, S/MIME, and Secure Shell.
modern (2.1) is the brand new version with enhanced features like support for Elliptic Curve Cryptography. It will eventually replace the current stable.
Keybase allows users to easily encrypt, decrypt and share messages within a tried-and-tested encryption standard. Furthermore, all public keys are tied to user accounts on the Keybase websites, in addition to Twitter and Github accounts.
Why sign my git commits?
A person with enough privileges can alter any git commit, including my own. Also, It’s entirely possible that someone could compromised my account and commit malicious code on my behalf. I want to verify my work to avoid such incidents.
Be careful of who you trust. Is your repository safe from harm/exploitation on your PC? What about the PCs of those whom you trust?
Your host is not necessarily secure. Be wary of using remotely hosted repositories as your primary hub.
Using GPG to sign your commits can help to assert your identity, helping to protect your reputation from impostors.
For large merges, you must develop a security practice that works best for your particular project. Specifically, you may choose to sign each individual commit introduced by the merge, sign only the merge commit, or squash all commits and sign the resulting commit.
If you have an existing repository, there is little need to go rewriting history to mass-sign commits.
Once you have determined the security policy best for your project, you may automate signature verification to ensure that no unauthorized commits sneak into your repository.
How do I start?
Once you decide to sign your commits, go through the following:
- Signing Git Commits & Tags with GPG2 and Verified on GitHub
- Submitting your GPG key to a keyserver
- On Keybase.io & Encrypted Private Key Uploading
If you really want to go the extra mile, consider buying a YubiKey (I'm not there yet)