from Hacker News

I'm not going to cryptographically sign my Git commits, and you shouldn't either

by notkaiho on 3/2/24, 10:49 PM with 12 comments

  • by fragmede on 3/3/24, 1:20 AM

    The edge lord way to respond to this article, would be to go around "contributing" to various projects under their name with bad commits. I'll leave that for someone else to do, but signing commits means they did actually come from you. In this world with a big bad Internet, where supply chain attacks are real, it really isn't that much effort to register on GitHub and verify commits. If you have some religious reason not to against GitHub, sure, don't do it, but for the rest of us, after reading the article, I don't see why not. The article says it's unnecessary complexity, but I don't think it is because it addresses a weakness in git's design. That it's a permanent record that you did something in the past is a feature, not a bug. It means you did it, not someone claiming to be you. Scammers are getting more and more advanced, and it's just so little effort now to say you didn't do a thing.

  • by nusl on 3/3/24, 12:04 AM

    I don’t fully understand the argument. The article is rambling and touches so many topics in different ways such that I can’t really see a clear analogy or connection.

    What I gathered was that the author believes signing commits to be bad because;

    1. It adds complexity that you otherwise don’t need

    2. GitHub is the only place that cares or enables this and we don’t want to add to their Git monopoly

    3. Signing the commit does little in reality since it doesn’t affect anything other than “Verified” on GitHub

    4. Something about signatures being permanent?

    Honestly I don’t get the argument. It’s not useless, not hard to set up, and not hard to maintain. You can initially lock yourself out of committing if you mess it up but usually it won’t lock you out. The extra assurance that someone signed the commit with a key that only they should have is really good if you care about that. That means someone can’t just spoof your name (which is very easy with Git) and sneak changes in more easily.

    Humans are still a key part of working around source control. That means there is trust involved, and code is pretty sensitive. Folks now are also more distributed and it’s harder to control where they access work systems from, or if that environment is secure (eg coffee shop over VPN does little if you leave your computer unlocked and get up to get a refill). Any extra assurance can be meaningful, specially if it’s around your code.

    If you want something to take more concrete action you can enforce that a bot reject any work with unsigned commits present. Your CI can do that quite trivially even.

    It’s not perfect but it’s also, IMO, the future. GitHub supports it now but others will in time (or do). Then GitHub will have trained people to get it working and you don’t need to learn it again.

    Long article for not really saying much.

  • by yogorenapan on 3/3/24, 2:16 AM

    > It’s worth noting that only GitHub will do this, since they are the root of trust for this signing scheme

    This is completely untrue. GitLab does this. GitTea does this. You can do this manually in the command line.

    I don’t think the author knows that they’re talking about.

  • by fargle on 3/3/24, 2:54 AM

    i've been meaning to set this up for some time. now this does nothing but nudge me to do it sooner than later.