Signing commits

Commits are signed to be able to verify the author of the commit. The ssh key (or username and password) only proves that you are allowed to authenticate against github.

• Generate a private key that uses a passphrase. Configure gpg-agent to
• cache credentials no longer than 10 minutes (this is the default). If you want a shorter timeout you can change this in ~/.gnupg/gpg-agent.conf
• All commits must be signed using a pgp key that includes the email address used configured for the author who is commiting.

Distribution of keys are done using keybase.io. To integrate Keybase, gpg and git follow the instructions here. Upload your own public key to Github. Never share your private key with anyone.

Unsigned commits will be rejected.

When running git log --show-signature a commit with a signature will look like this:

commit 4e6af36ca6d285033dd532e66469f273c6b64a37 (HEAD -> a-branch, origin/a-branch)
gpg: Signature made Tue Mar 27 14:11:45 2018 CEST
gpg:                using RSA key 0A46826A
gpg: Good signature from "John Doe <john@doe.com>" [complete]
gpg:                 aka "John Doe <john.doe@work.com>" [complete]
Author: John Doe <john@doe.com>
Date:   20 hours ago

    Summarize changes in around 50 characters or less

    ...