On 01/04/2021 05:54, Bishop Bettini wrote:
I've documented why we need signing, and how to set it up:
https://wiki.php.net/vcs/commit-signing
Feedback welcomed!
This looks great, and very easy to follow.
One edit I would strongly suggest though:
Remove the "Passphrase:" line from the --generate-key command, so that
gpg will prompt interactively for the passphrase using the same entry as
it will use later when signing. You should never include a password or
passphrase in a command if you can avoid it, as it will be visible on
your screen, and stored in plain text in your shell history.
Some additional tips that might be worth adding:
As an advanced setup suggestion, "gpg --full-generate-key" launches a
wizard with a couple of extra prompts.
If you're on Ubuntu and don't have a new enough git (e.g. 18.04LTS ships
with 2.17.1), there is an official PPA to upgrade it; just run: "sudo
add-apt-repository ppa:git-core/ppa && sudo apt update && sudo apt
install git"
Before pushing to github, you can verify the signature on a commit
locally with "git show --show-signature HEAD", or similarly for a tag by
passing the tag name.
Regards,
--
Rowan Tommins
[IMSoP]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
