With the release of Git v1.7.9 it’s possible to sign your commits now.
To activate this on your machine, you have to configure git:
1. Get your key-id in the terminal:
$> gpg --list-keys
pub 1024D/123ABC89 2011-09-27
uid Carsten Nielsen
Locate your relevant key and copy the ID to git:
$> git config --global user.signingkey 123ABC89
Now you are able to sign your commits by using the option -S
$> git commit -S
If you want to check the origin of a commit you can now show the signing by:
$> git log --show-signature
gpg: Signature made 2012-02-09T11:30:57 CET using RSA key ID 123ABC89
gpg: Good signature from "Carsten Nielsen "
Author: Carsten Nielsen
Date: Thu Feb 9 11:30:48 2012 +0100
Lets sign something
With this we should be able to create an infrastructure on the repo- or deploy-server to check and ensure the origin of the commits.
But this is another story for another time…