meonkeys commented on code in PR #5431: URL: https://github.com/apache/fineract/pull/5431#discussion_r2756732488
########## CONTRIBUTING.md: ########## @@ -270,3 +270,35 @@ This project's committers typically prefer to bring your pull requests in throug We expect most proposed PRs to typically consist of a single commit. Committers may use _Squash and merge_ to combine your commits at merge time, and if they do so, will rewrite your commit message as they see fit. Neither of these two are hard absolute rules, but mere conventions. Multiple commits in single PRs make sense in certain cases (e.g. branch backports). + +### Signing Your Commits + +We encourage contributors to sign commits with GPG keys. Signed commits show a "Verified" badge on GitHub. + +To set up GPG signing: + +1. Install GPG: + - **Mac**: `brew install gnupg` + - **Linux (Debian/Ubuntu)**: `sudo apt-get install gnupg` + - **Windows**: Download and install [Gpg4win](https://www.gpg4win.org/) +2. Generate a key: `gpg --full-generate-key` + - Select `(1) RSA and RSA` + - Key size: `4096` + - Expiration: `0` (no expiration) + - Enter your name and GitHub email +3. Find your key ID (the string after `rsa4096/` on the `sec` line): + ```bash + gpg --list-secret-keys --keyid-format=long + ``` +4. Configure Git: + ```bash + git config --global user.signingkey YOUR_KEY_ID + git config --global commit.gpgsign true + ``` +5. Add your public key to GitHub: + ```bash + gpg --armor --export YOUR_KEY_ID + ``` + Copy the entire output (including `-----BEGIN PGP PUBLIC KEY BLOCK-----` and `-----END PGP PUBLIC KEY BLOCK-----`) and add it at: GitHub → Settings → SSH and GPG keys → New GPG key + +To verify locally before pushing: `./scripts/verify-signed-commits.sh` Review Comment: Local first! Awesome. ########## CONTRIBUTING.md: ########## @@ -270,3 +270,35 @@ This project's committers typically prefer to bring your pull requests in throug We expect most proposed PRs to typically consist of a single commit. Committers may use _Squash and merge_ to combine your commits at merge time, and if they do so, will rewrite your commit message as they see fit. Neither of these two are hard absolute rules, but mere conventions. Multiple commits in single PRs make sense in certain cases (e.g. branch backports). + +### Signing Your Commits + +We encourage contributors to sign commits with GPG keys. Signed commits show a "Verified" badge on GitHub. + +To set up GPG signing: + +1. Install GPG: + - **Mac**: `brew install gnupg` + - **Linux (Debian/Ubuntu)**: `sudo apt-get install gnupg` + - **Windows**: Download and install [Gpg4win](https://www.gpg4win.org/) +2. Generate a key: `gpg --full-generate-key` + - Select `(1) RSA and RSA` + - Key size: `4096` + - Expiration: `0` (no expiration) + - Enter your name and GitHub email Review Comment: Please instead augment/update and refer to <https://fineract.apache.org/docs/current/#_gpg_2>. That's a more up to date key generation guide using elliptic curve encryption instead of RSA. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
