Skip to content

Latest commit

 

History

History
95 lines (83 loc) · 6.12 KB

README.md

File metadata and controls

95 lines (83 loc) · 6.12 KB

Simplify signing Git commits and tags with SSH keys

@andyfeller

📣 Prerequisites💡 Motivation🎒 Exercises🚀 Beyond📚 Resources

In this workshop, participants learn how to secure Git commits using the new OpenSSH feature. This is an alternative to the traditional method of using GPG and maintaining keys which can be somewhat cumbersome.

Note This workshop was originally presented at Git Merge 2022.

📣 Prerequisites

🎒 Exercises

  1. Setup workstation
  2. Signing and verifying commits
  3. Signing and verifying merges
  4. Signing and verifying tags
  5. Signing past commits and tags

🚀 Beyond

  1. 🤔 Author opinion: Enterprise challenges
  2. 🪙 bitcoin/bitcoin verify-commits

    Tooling for verification of PGP signed commits

    This is an incomplete work in progress, but currently includes a pre-push hook script (pre-push-hook.sh) for maintainers to ensure that their own commits are PGP signed (nearly always merge commits), as well as a Python 3 script to verify commits against a trusted keys list.

  3. 💻 andyfeller/gh-ssh-allowed-signers

    A gh extension to generate SSH allowed users file from GitHub users' signing keys.

  4. 🎉 Vendor support
  5. 🔑 1password "Sign your Git commits with 1Password"

    We’re excited to announce that 1Password now allows you to set up and use SSH keys to sign Git commits. And with GitHub supporting SSH key signing as well, you can get that verified badge next to your username in seconds. No GPG keys required. 1password screenshot showing SSH commit signing setup

📚 Resources

✨ Thanks

This effort couldn't have happened without the support from many people, so thank you to the following who helped throughout the creation of this workshop:

@ppremk @leereilly @bval @aaronkowall @bestra @apdarr @evgenyrahman @vcsjones @ashishkeshan @lumaxis @milemons @abelberhane @katiem0 @kevfoste @allthedoll