I won't get inside the subject but I think signing at least your tags is a good initial step towards security.
In this guide you will:
- Install GPG (Gnu Privacy Guard)
- Create a signed key
- Create a signed tag
- Push tag to git server
You should already have git installed, of course.
So let's get started.
Installing MacGPG
You should follow MacGPG instructions at MacGPG at Sourceforge
Or if you like tools that solves your problems hidding the neat part use GPG Tools, altough I personally didn't test it.
Creating a signed key
Before we can really use tag command we must create a key, in a similar way that we do when using ssh private keys for GitHub.In a terminal use:
gpg --gen-keyThe terminal should ask you to select your key type like this:
Please select what kind of key you want:The default selection is prefered in this case, unless you REALLY KNOWS why you would want to choose other options.
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
Next he asks you to choose a size:
RSA keys may be between 1024 and 4096 bits long.I guess 2048 is good enough for me, pick a size you need.
What keysize do you want? (2048)
Now it will asks for an expire date, even if you have really strong reasons for not setting an expire date THINK AGAIN.
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0)
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de="">
Type O when you have finished and the terminal will prompt for a passphrase
And you're done for this step, let's create some tags.
Type O when you have finished and the terminal will prompt for a passphrase
And you're done for this step, let's create some tags.
Creating Tags with Git
First you should get your key identifier, run the following command
gpg --list-secret-keys
sec 2048R/8EE30EAB 2013-07-16 [expires: 2015-07-16] uid Name (Comment) <youremail@email.com=""> ssb 2048R/hexvalueB 2013-07-16
Go to your repository folder on terminal and config git to use this key (remove the --global param to apply only for current repository)
git config --global user.signingkey 8EE30EAB
git tag -s v1.5 -m 'my signed 1.5 tag'
git show v1.5
git push origin v1.5
git push origin --tags