From: "David A. Harding" <dave@dtrt•org>
To: Chris Beams <chris@beams•io>
Cc: Bitcoin Dev <bitcoin-development@lists•sourceforge.net>
Subject: Re: [Bitcoin-development] PSA: Please sign your git commits
Date: Wed, 21 May 2014 16:25:02 -0400 [thread overview]
Message-ID: <20140521202502.GA439@localhost.localdomain> (raw)
In-Reply-To: <7B48B9D4-5FB0-42CA-A462-C20D3F345A9A@beams.io>
On Wed, May 21, 2014 at 06:39:44PM +0200, Chris Beams wrote:
> I [was] searching for a way to enable signing by default [...]
> Unfortunately, there isn't one, meaning it's likely that most folks
> will forget to do this most of the time.
For all of my projects, I now I put this script in
.git/hooks/post-commit and post-merge:
#!/bin/bash -eu
if ! git log -n1 --show-signature | grep -q 'gpg: Good signature'
then
yes "FORGOT TO SIGN COMMIT MESSAGE"
exit 1
fi
So anytime I forget to sign, I get an obvious error and can immediately
run git commit --amend -S.
To automatically add a script like the one above to all new projects (plus
quickly add it old current projects), you can follow these instructions:
http://stackoverflow.com/questions/2293498/git-commit-hooks-global-settings
> If you're really serious about it, you should probably reject pull
> requests without signed commits; otherwise, signing becomes
> meaningless because only honest authors do it
I find signing my commits quite useful even on projects without a
default signing policy because it lets me diff from the last time I
provably reviewed the code. Here's my script for that:
#!/bin/bash -eu
KEY=F29EC4B7
last_signed_commit=$( git log --topo-order --show-signature --pretty=oneline \
| grep -m1 " gpg: Signature made.*RSA key ID $KEY" \
| sed 's/ .*//' \
| grep .
) || { echo "No signed commit found. Dying..." ; exit 1 ; }
set -x
git diff $last_signed_commit
By diffing against the last signed commit I made, I also review any
commits that were made using my name but which I didn't actually make,
such as squashes and rebases of my commits (and, of course, forgeries).
For anyone who's bored and wants to read a lot of text, I think the
definitive work on git signing is this:
http://mikegerwitz.com/papers/git-horror-story.html
-Dave
--
David A. Harding
next prev parent reply other threads:[~2014-05-21 20:57 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-21 12:23 Wladimir
2014-05-21 16:39 ` Chris Beams
2014-05-21 17:10 ` Wladimir
2014-05-21 20:30 ` Mark Friedenbach
2014-05-21 21:02 ` Gregory Maxwell
2014-05-22 18:06 ` Jeff Garzik
2014-05-23 0:25 ` Peter Todd
2014-05-23 7:12 ` Wladimir
2014-05-23 16:38 ` Mark Friedenbach
2014-05-23 16:48 ` Kyle Jerviss
2014-05-23 17:32 ` Gregory Maxwell
2014-05-23 10:23 ` Wladimir
2014-06-09 15:34 ` Chris Beams
2014-05-21 20:25 ` David A. Harding [this message]
2014-05-22 1:09 ` Chris Beams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140521202502.GA439@localhost.localdomain \
--to=dave@dtrt$(echo .)org \
--cc=bitcoin-development@lists$(echo .)sourceforge.net \
--cc=chris@beams$(echo .)io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox