git it is easy to overwrite someone as author or commit as someone else. Then how do you know it was someone who committed the changes?
That’s where the gpg signing comes into picture.
this is my first gpg signed post
One thing to note is that once you have generated gpg keys from
git bash then you can’t use them from windows command prompt. I found it rather handy to install gnugpg and then generating keys with gpg.
One thing i had to setup explicitly is to tell
git where to find
gpg so it asks me
passcode . Anyway the command is:
git config --global gpg.program "C:\GnuPG\bin\gpg.exe"
A few links of interest around this topic:
- A git horror story: Repository Integrity With Signed Commits
Anyway the most interesting is this: