this post was submitted on 05 Sep 2023
15 points (80.0% liked)

Git

2868 readers
2 users here now

Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.

Resources

Rules

  1. Follow programming.dev rules
  2. Be excellent to each other, no hostility towards users for any reason
  3. No spam of tools/companies/advertisements. It’s OK to post your own stuff part of the time, but the primary use of the community should not be self-promotion.

Git Logo by Jason Long is licensed under the Creative Commons Attribution 3.0 Unported License.

founded 1 year ago
MODERATORS
Ategon@programming.dev
jnovinger@programming.dev
canpolat@programming.dev
15
Decoupling GPG from Git (programming.dev)
submitted 1 year ago by danhab99@programming.dev to c/git@programming.dev
9 comments fedilink hide all child comments
 

Over the last year I've been trying to understand why GPG isn't popular. Based on the features I think it's a pretty valid thing. This article changed my mind.

Turns out GPG is too old ¯_(ツ)_/¯

I like signing my commits, it feels good to know that my identity is actually attached to my code. So I put in some work to reconfigure git to use a different signing tool, I didn't think it would be such a big deal, turns out git fully intergrates GPG. I'm confused. Why does git need to be hardcoded to use GPG specifically?

What rule says we can't have git configs like:

[sigining]
  defaultMethod=minisign

[signing.minisign]
  always=true
  signCommand=minisign -S -s {secret-key-file} -x {sig-file-name} -m {target-file}
  verifyCommand=minisign -V -P {public-key-file} -m {target-file}

Where the verifyCommand exits 0 if the signature is good and 1 if not.

I'm open to hearing cons. These are some I can think of:

  • User's have to configure git with each signing and verifying program
  • Upstream security conserns from signing programs
  • Signing programs changing their interfaces
you are viewing a single comment's thread
view the rest of the comments
[–] mo_ztt@lemmy.world 1 points 1 year ago

It's "bias" in favor of the truth, though. I don't think he's saying anything against email as a technology or against PGP-signing your emails as a habit -- just saying that encrypting an email with a PGP key and thinking that'll make it un-eavesdroppable is just 100% wrong backwards and forwards. That's accurate, and I think it's worth saying (I mean, I wasn't fully aware that e.g. the subject line of a PGP-encrypted email is still plaintext).