On Thu, Apr 1, 2021 at 3:21 PM Bishop Bettini <bis...@php.net> wrote:
> On Thu, Apr 1, 2021 at 9:22 AM Rowan Tommins <rowan.coll...@gmail.com> > wrote: > > > On 01/04/2021 05:54, Bishop Bettini wrote: > > > I've documented why we need signing, and how to set it up: > > > > > > https://wiki.php.net/vcs/commit-signing > > > > > > Feedback welcomed! > > > > > > This looks great, and very easy to follow. > > > > One edit I would strongly suggest though: > > > > Remove the "Passphrase:" line from the --generate-key command, so that > > gpg will prompt interactively for the passphrase using the same entry as > > it will use later when signing. You should never include a password or > > passphrase in a command if you can avoid it, as it will be visible on > > your screen, and stored in plain text in your shell history. > > > > > > Some additional tips that might be worth adding: > > > > As an advanced setup suggestion, "gpg --full-generate-key" launches a > > wizard with a couple of extra prompts. > > > > If you're on Ubuntu and don't have a new enough git (e.g. 18.04LTS ships > > with 2.17.1), there is an official PPA to upgrade it; just run: "sudo > > add-apt-repository ppa:git-core/ppa && sudo apt update && sudo apt > > install git" > > > > Before pushing to github, you can verify the signature on a commit > > locally with "git show --show-signature HEAD", or similarly for a tag by > > passing the tag name. > > > > Excellent suggestions. I've updated the guide with these. > > I also added a FAQ. > > https://wiki.php.net/vcs/commit-signing > > Nice! It would be great if we start enforcing that. I finally set it up too. I should have done it long time ago considering that I have been maintaining gnupg extension for some time. :) I think it's better to always use subkey for signing commits so that might be good to add to the tutorial. Also RSA is getting a bit heavy with big keys so it might be also good to suggest using ECC (e.g. EdDSA) which is faster and possibly more secure. Although it's still in expert settings but it works fine and a good tutorial can be found here https://dev.to/benjaminblack/signing-git-commits-with-modern-encryption-1koh . Regards Jakub
