On Thu, Apr 1, 2021 at 9:22 AM Rowan Tommins <rowan.coll...@gmail.com> wrote:
> On 01/04/2021 05:54, Bishop Bettini wrote: > > I've documented why we need signing, and how to set it up: > > > > https://wiki.php.net/vcs/commit-signing > > > > Feedback welcomed! > > > This looks great, and very easy to follow. > > One edit I would strongly suggest though: > > Remove the "Passphrase:" line from the --generate-key command, so that > gpg will prompt interactively for the passphrase using the same entry as > it will use later when signing. You should never include a password or > passphrase in a command if you can avoid it, as it will be visible on > your screen, and stored in plain text in your shell history. > > > Some additional tips that might be worth adding: > > As an advanced setup suggestion, "gpg --full-generate-key" launches a > wizard with a couple of extra prompts. > > If you're on Ubuntu and don't have a new enough git (e.g. 18.04LTS ships > with 2.17.1), there is an official PPA to upgrade it; just run: "sudo > add-apt-repository ppa:git-core/ppa && sudo apt update && sudo apt > install git" > > Before pushing to github, you can verify the signature on a commit > locally with "git show --show-signature HEAD", or similarly for a tag by > passing the tag name. > Excellent suggestions. I've updated the guide with these. I also added a FAQ. https://wiki.php.net/vcs/commit-signing Thank you!
