As of MISC-43 I sign all commits - both Github and Gitlab should show a green Verified against any commits I make.
However, neither makes it particularly straight forward for you to verify signatures for yourself, meaning you have to take on trust that they've not messed up verification.
This repo exists solely to publish my public keys (also available via pgp.mit.edu
and keyserver.ubuntu.com
)
Commits will be signed with the private key associated with the following public key (key ID F289CDD2317B182C
)
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGEwjZ0BDAD5kbNHTjE5nZX1XvqXwPKMtkUo4nmlcbYphCwxerb+xxXEhe3C
T2H60XVSVLx+Az5jXi3+J2NAGFP2UNbRPiqU641n3xuTgDydJT/YRO/tbUvQmN5+
eCoET0fNEoWCG/3uvaXwKvlqRtIPrLe0/5kF6aiz0ainjjVuejFXOUTFL9hwGx1i
i1trp9b1WeXn4kzNdrv9kcQGg2kGraWeWfjiwK09vsXtI7oh1RbPFFqxQnY1i+Wx
vUrGZVy1ZpE6VLjD4fs2R8mMfOiE8P/Xc+C/xAmypFN0yp7ehWqoaDW02BhJIHME
zimsUPfRjciAMCGzBQf772+X8XCbAJ7s8Zy1m6FNF57ZfCII3WpVZL8dTZndJi3W
Hz+FV/JUz1P5GHAchW0aVRHAZxovSTMojDijHUXmIJOfh0+vpSrAqcVICTI468bg
7cGiJeRyvFodvqCxkhANouTfPk81VEEhr9RoVoHOfkfHCbDbvs5zI/2izvFoBpjA
9J592JHe89rnqUMAEQEAAbQ0QiBUYXNrZXIgPDg4MzQwOTM1K2J0YXNrZXJAdXNl
cnMubm9yZXBseS5naXRodWIuY29tPokB1AQTAQoAPhYhBFMZCTlxtlXmTMkE3/KJ
zdIxexgsBQJhMI2dAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
EPKJzdIxexgs4/0MAJ7L47p8/IyybiU2kELBqJ1R8LmH205dvF4E0zboi7uHRVlK
TWEhNKwb5xuyWn/dCzgW/JdESE3KXqfpohOFZEdIm6ZdfRta60hope9GYn2uYST7
7IQi0ZSqgbKRV1ZuE4/SwN0m83i2WTremhXuDgjGiG9EUPI5ISqK3Zg32e6AFUNt
rWKXrd8jcqs6nqHyKfVi4o3ODe/TqnFHBOx6BcndsvDZs4wmaPacdEnBlaP79oli
+j7z1nwNKlsQXis/y/G86IN4BxFz6biYMDG5U3b78RiTylp64oUAQ/89vo4e6vtX
GNPXHWl+IIfDH0c/0cwHEQIwQuPPZf4SnJY2RGbMytsovmC45rgCrUZzMNBEmuhf
Ib6aWD3H6svqDlhzSVLX+jkxUXAd3NA3U6o7tScCpdVnphVYyVcNOiwJg0yRjlMK
Yenr/mretitRuD5FzR/8lQ0yQImMzxRyHWcZu1Ev3vkkIDUbl4OrLSv1ZV7qTImg
q9MBg487xTV7cs7gJ4kCMwQQAQoAHRYhBMAdlws6JBaJLB7UL7fvdUhuCM1vBQJh
MI5VAAoJELfvdUhuCM1vYcMQAIobQv6FgvS7Bo9GGoaYa0i++oMziZoLvevyxcRs
EHtbaaUT7yP+TWX/78LsIzXh7c2bNvTV+s99D4kaJ+5VZ4t1EdVa/tTeF9QEMCW/
gOUNBj1b70F2BZ7/Et4LAungcQ8HY9qbNq+2NOurm4F7aDi2RH8/WfTaWMe/hO79
I1IGyl7WnFV1j9hLAYrOJREtMufjWtRZ7ANmFy3wnHcf3SWQA3fFQc+mdaoBKxns
o+Z/ak7VADv3gsJfTG8aNZrmh73CgmvF/B0RC3xxTuPBjP9EW8GtDytZ1JWwO9bt
y5+cXPPts2HYECaSdoxh9O4a5tQNs2JQhfnHhZGL8oNlSqGZD00x1OeeBH8epd8r
kn6NAsksk2ELoK3gYtgo9xe23xx/GmwhHwhftWgP+dwNH0fVIx9PcQLNeR0JCCTy
EyRPn0WOb/txLCQFmylD5Jih722cpJJC7c1qRTRgNAM33BuqV+p4DUvNjfnOQLya
P5xrjc61Lm0hjKRMjJualYR4cmf0uOAi8iAG/zqcg7pC67c1smVJ/cj9yqsD6LYM
doylP5cBDqcUbQAKuSux+Ezkn92OKawzjRPhvURKAepcWYMIbgcnQlzEdFDAt16C
VtBzp3y9qz/n9k1KD/apaRemgBEVTno5stKannj53GKGYxtuizqA+NrVEvvRjH+o
OHVcuQGNBGEwjZ0BDACc5/5iMR8qitht1N/oLH9YtLg4B1BQIg1DlQ8aMFNe4jVa
p091u3KgF/0HLLM7v1k2OKemBYfwZD2x4OWyIbjNAwsJMtwedDsZ9n+M1D7CQYhn
7kNtzzKTEp1+pw7HAlfQ1GcMR5WwYsCd5drukR43dpdpIM09eWwc6VklKFsysd/9
8mXFVB7yT8H+2g7nVPpqOAUwCyB+WJfRToNYneNGEPhxbjgh3+XR1bzkgsoR6rva
EbfwtXTt9DDFkKcrStpgi5RvK4zBMeGQ1np5niyVHshggG3Oa7Fl0IMmoPeCeUqX
Ffm4QQ6puHG//ReVx2TUfYbe1ey+4hFIIGqx3jV9Wl/6kk3lyl5RKS/BU1LZYu29
YMFqWN/LQLQAvVtGFbpNe/X4QDxkMdhp37D8MTuccgVPOVURM99Z65FTLE3/7nKQ
9taEgPbkau606y/fVLSy41HioJdJp7Boh7XP0SmHjBvkKoXV8uAxa8p0Y/NH3qeu
w0/grs7gqwuxBH+yU9cAEQEAAYkBvAQYAQoAJhYhBFMZCTlxtlXmTMkE3/KJzdIx
exgsBQJhMI2dAhsMBQkDwmcAAAoJEPKJzdIxexgsCN8L/3K9WM4OQ5BuwxmgA4+v
bdo4SRnG+EnVQ7XfB7Y1COjLjiO68LPcdayx0k59SrrSfdbfDtgnOE6CCwgnSvEY
22PlkqR64kxRf/XPLWqk745rv4BngmNZZ5/BbX/Oo4bBWTjfWUPRe2nb04MIWdEb
Rxabm7l8ujRnbVKb51iT5sM0L9joyMxZ1aA/YakZPVGkBjJ0eex5kKXXB9Yws5zC
MH4Smsa+ldAtOHniB77/8bG9RyBTY6v7Z5DYe2fJYrVLCYg7cTOc6IWIWgoKX1Vh
uraPq3GEuHGGPUf2SRiUlk5lDL0AR6IIWpFMyz0dMxeBO2/5ZcuX/qtzAfuRWolD
F9FLgZE2zbPoIhZ1arvPxGGhxa8rxLiFonkA/bMtGRm0C6XISiElebJrhPAVxfDk
pCvxBLhn0jGQ+z70W4eIoUXJDjSLTyzfFd2VmAdFGq5rK9lvRnT+29fs423TYxL6
PrR0k4tlSWHz8LYHTyLQ2zeW3QQR+nWzK7Ko5Ub0na1mAQ==
=/+eu
-----END PGP PUBLIC KEY BLOCK-----
In order to verify a signature, you'll need to import my public signing key in your keyring
gpg --recv-keys --keyserver keyserver.ubuntu.com F289CDD2317B182C
You can then verify that it's been signed with my main key
curl -s https://www.benta sker.co.uk/about-me | sed -n '/-----BEGIN PGP PUBLIC KEY BLOCK-----/,/^-----END PGP PUBLIC KEY BLOCK-----/p' | tee btasker_pub_key.key
Check the fingerprint matches below
$ cat btasker_pub_key.key | gpg --with-fingerprint
pub 4096R/6E08CD6F 2014-08-30 B Tasker (Main Key) <[email protected]>
Key fingerprint = C01D 970B 3A24 1689 2C1E D42F B7EF 7548 6E08 CD6F
sub 4096R/4219F5B2 2014-08-30
Then import and sign with your own key so that it becomes trusted
gpg --import btasker_pub_key.key
gpg --edit-key 6E08CD6F
sign
y
[password]
Signing the key also means that if, in future, I rotate my code signing keys you should only need to import the new public key for commits to verify.
Clone the relevant repo down, and then use verify-commit
along with the commit reference in order to verify the signature
$ git verify-commit 17e2ed8920ec836e2a38af3f614ed8107bfdb8ba
gpg: Signature made Thu 02 Sep 2021 09:53:13 BST
gpg: using RSA key 5319093971B655E64CC904DFF289CDD2317B182C
gpg: Good signature from "B Tasker <[email protected]>" [ultimate]
If you're verifying a release, you can also use git verify-tag