Why sign your commits?
What we want
How to verify a commit?
$ git verify-commit 54d75d3d5992bdbd5ddb5a5f6a12bd7ba1dc747d
Good "git" signature with ED25519 key SHA256:lyOfOeV7C0s0ygnRgkSd4S8LVC4mkoPmRvlLdcvWOzM
No principal matched.
$ git verify-tag v1.2.3-4
Can anyone sign a commit?
$ cat ~/.ssh/allowed_signers
Verify committs of a release
git log --oneline ${source_rev}..${target_rev} |
awk '{ print $1}') |
while read -r commit; do
git verify-commit ${commit}
done
Delve further
- Github: about commit signature verification
- Github: displaying verification statuses for all of your commits
- Github: telling git about your ssh key
man ssh-keygen
: ALLOWED_SIGNERS- Blog: git ssh signatures