Comment by luizfelberti
7 years ago
The missing answer in there is how to avoid PGP/GnuPG for commit signing. I've asked about this in another similar thread[0] but didn't get a hopeful answer.
Everytime I look at git's documentation GPG seems very entrenched in there, to a point that for things that matter I'd use signify on the side.
Is there a better way?
It seems pretty clear that, with the current tools available, there is no way to do this (at least with git). There's nothing in principle difficult about it, just that (say) git+signify hasn't been implemented.
I'm getting the strong sense (see also my toplevel comment, and maybe someone will correct me and/or put me in my place) that there's an enormous disconnect between the open source + unix + hobbyist + CLI development communities, and the crypto community. The former set has almost no idea what the state of art in crypto is, and the latter (somewhat justifiably) has bigger fish to fry, like trying to make it so that non-command-line-using journalists have functional encryption that they can use.
I think this is a sociological problem, not a technical "using command-line tools makes Doing Crypto Right impossible".
Signing tags (or somewhat less usefully, commits) can be done the same way packages are signed. It might not be directly integrated with git, but it wouldn't be hard to make a good workflow.
The article mentions Signify/Minisign. [1]
[1] https://jedisct1.github.io/minisign/ as an PGP alternatie.
> It might not be directly integrated with git
That's the problem I see. I have signingkey in .gitconfig, together with [commit] gpgsign = true. This way, set & forget, all my commits are signed (it's my employer requirement, probably some "compliance" stuff). You can see it right away nicely displayed as "Verified" on github. I didn't know about GPG-s supposedly weak security until now, but always considered it not very convenient to use.
Ah, well if your employer mandates PGP signatures on every commit, that's that.
FWIW, the creator of git argues that signing of every commit is essentially pointless. [1] I agree.
[1] http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-t...