8
- What changes from a signed and verified commit to a unsigned commit?
- What’s the benefit of signing commits with the GPG key?
2 answers
9
GPG is an end-to-end encryption system using pairs, in this system data is encrypted on sending and decrypted on receiving. It is also used in digital signatures "so that the integrity and sender of the message can be checked".
Using GPG protects your interception data as well as a possible fake commit. So anyone who sees your commit status as "signed" will have more confidence in executing your code.
In short:
• What changes from a signed and verified commit to a unsigned commit?
In github and similar applications, your commit appears an additional status of "checked".
• What is the advantage of signing commits with the GPG key?
- Prevents commit interception and fake commit on your behalf.
- Provides warranty for anyone who downloads your code and executes it.
0
When you sign a commit with gpg, github puts a verified status, meaning users will know it’s an official version, plus it’s compatible with RFC 4880, the IETF standard.
using GPG (GNU Privacy Guard (Gnupg)) increases the credibility of your code, because the user will have the "certainty" (remember that no encryption is 100%) that a virus does not come along with the project or it has somehow been modified to divert data, not too hard, I’ve seen some on github(without gpg).
It has interoperability (ability to communicate) with Openpgp, so you could migrate from PGP to GPG.
I talked about github, but you can use it on others like bitbucket, in relation to the project upgrade, it’s part of the Free Software Foundation, and it’s sponsored by the German government, so we have updates to solve bugs and security holes for a few more years there, This is a great advantage over PGP.
Browser other questions tagged git
You are not signed in. Login or sign up in order to post.