Dave Wood 🇨🇦

Do you sign your git commits?

If so, do you use GPG or SSH? And why did you pick one over the other (if you actively chose vs using GPG from before SSH was an option)?

#git #gpg #ssh #security

Jun 24 at 5:32pmTuba
Show threadScrivolical4d ago

@davewoodx Back when I had github accounts, I used to ssh sign the commits. It took a day of testing to get it working perfectly with Tower, from my scripts, and from the command line, however it worked flawlessly after it was set up.

I chose the ssh signing because I was already ssh authenticating with github, and I didn’t want to go down a rabbit hole of gpg signing, what binaries are safe, do I want my keys public, do I want visible attribution, blah blah. ssh was just straightforward.

Show threadDave Wood 🇨🇦4d ago
@scrivolical awesome thanks!
Show threadslackline :emacs: :orgmode:4d ago
@davewoodx GPG because I wanted to learn how to sign my commits with GPG and generally use GPG more as I splashed out on a YubiKey which holds my keys.
Show threadDave Wood 🇨🇦4d ago
@slackline Excellent thanks. So how often do you have to touch your key? Every commit?