Using GPG to Sign Git Tags
Lately, I’ve been working in Git for version control and one of the more interesting features is the ability to sign source code tags. Git is a distributed repository system and consequently, it is impossible to know if a given copy of the repository is official in any sense of the work. Cryptographic signatures alleviates this problem and Git uses GPG to do it.
First, is is necessary to tell Git about your key:
howardjp@byzantine:~/src/git$ git config user.signingkey 0x3EE4249E howardjp@byzantine:~/src/git$ git config --get user.signingkey 0x3EE4249E howardjp@byzantine:~/src/git$
Then, create a tag giving the -s option:
howardjp@byzantine:~/src/git$ git tag -s commit.infodisplay 0839c680c7d2821753ae684874abf83aaaba6f32 .git/TAG_EDITMSG: unmodified: line 4 :a This tag represents a finalized commit.infodisplay variable. . :x .git/TAG_EDITMSG: 5 lines, 88 characters You need a passphrase to unlock the secret key for user: "James Patrick Howard, II" 2048-bit RSA key, ID 0x3EE4249E, created 2009-08-30 (main key ID 0xE6602099) howardjp@byzantine:~/src/git$
Since my password was cached by GPG Agent, I do not need to enter it. And it’s that simple. To verify a tag, give a tag name and the -v option:
howardjp@byzantine:~/src/git$ git tag -v commit.infodisplay object 589c8efd5bec637050ddaadae9471c15601738cb type commit tag commit.infodisplay tagger James P. Howard, II 1261089522 -0500 This tag represents a finalized commit.infodisplay variable. gpg: Signature made Thu Dec 17 17:38:42 2009 EST gpg: using RSA key 0x3EE4249E gpg: Good signature from "James Patrick Howard, II" [ultimate] howardjp@byzantine:~/src/git$
When Git signs a tag, it creates an object to represent the tag and also adds the entire history of the repository leading up to the tag. This is important because the signature then verifies an entire line of development allowing distributed sources trees that can be trusted.
