Feb 05

Recently with 1.7.9 release git gets support for git commit signing. This was one of the last show stoppers to migrate gentoo-x86 tree from cvs to git. In recent portage versions like 2.1.10.45 and 2.2.0_alpha85 support for git gpg signed commits was also added. So in kde overlay we decided to test with feature with thin manifests.

New repoman can use git gpg signed commits if you do the following thing

  1. Enable special tag in metadata/layout.conf
    sign-commits = true
  2. Install git >=1.7.9
  3. Configure your gpg sign key for git via
    git config --global user.signingkey $KEYID

After first commit you can chek that gpg signature was added to special field in commit via

git log --show-signature

It will look like this

commit 9b3cafc7efb2c17b0f2baffae530196014967921
gpg: enabled debug flags: memstat
gpg: Signature made Sun Feb 5 21:06:06 2012 MSK using RSA key ID F82F92E6
gpg: Good signature from “Alexey Shvetsov ”
gpg: aka “Alexey ‘alexxy’ Shvetsov ”
gpg: aka “Alexey ‘alexxy’ Shvetsov ”
gpg: aka “Alexey Shvetsov ”
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 0/32768 bytes in 0 blocks
Author: Alexey Shvetsov
Date: Sun Feb 5 21:05:48 2012 +0400

[metadata] Enable git signed commits by default

Signed-off-by: Alexey Shvetsov

5 Responses to “Git commit signing in kde overlay”

  1. kollin Says:

    When will be implemented into main tree?
    Cauld it be done for ‘emerge –sync’ also?

  2. Alexey Shvetsov Says:

    I dont know when it will be implemented =) but we should test this kind of layout and workflow first

  3. nico Says:

    Does it need to show the person’s name six times?

  4. Alexey Shvetsov Says:

    its example output. in this case from actual commit that add needed changes to overlay layout

  5. kang Says:

    So many times did the GIT devs tell me they’ll never add this because signing the tag is enough (its not, a single human can’t review all commits or trust or the other mergers on large projects).

    Yay. Can finally discontinue my signing hook script.

Leave a Reply