About Bart Bakker

Bart is a technologist who specializes in agile software development. He is passionate about creating working software that is easy to change and to maintain.

Signing Git tags

One of Git’s interesting features is definitely the ability to sign tags. Using your GPG key-pair you can create a signed tag. Anyone with your public key can verify that you are the true creator of that tag.

Why you should sign your tags

As Git is a distributed version control system (DVCS) you need a to verify the source of a release. Just like you verify checksums of releases you download to make sure it’s the release you expect it to be (you do verify your downloads, don’t you?!), you want to prove that the tag is created by the expected trusted source.

While signing tags is more important in open-source projects, it’s generally also a good idea for your private projects. See the signing as one of the core team members placing stamp in your repository, as they release a version of their software.

Also signing tags is dead easy as I’ll show you next.

Create a signed tag

To create a signed tag all you need is a Git repository and a GPG private key you want to use to sign the tag. Don’t worry if you don’t have GPG set up yet, I’ll cover this a little later.

To make things really easy set your GPG signing key as a global configuration setting. Obviously you don’t need to do this – especially if you have more than one account (e.g. work and private) you want multiple signing keys so set them up per repository (discard the global option).

$ git config --global user.signingkey [gpg-key-id]

Now all you need to do is create a tag and sign it.

$ git tag --sign [signed-tag-name]

Verify a tag

Verifying tags is as easy as creating one.

$ git tag --verify [signed-tag-name]

However, you need the signer’s public key to be able to verify the commit. Most maintainers put their public key in a special object in the repository – an object that can only be reached from a specific tag (or of course its own SHA).

You can make your public key available in a tag as follows.

$ gpg -a --export [gpg-key-id] | git hash-object -w --stdin
    [object SHA]

    $ git tag -a [object SHA] maintainer-pgp-pub

To import a maintainer’s public key into your keyring you can show the tag.

$ git show maintainer-pgp-pub | gpg --import

Generally it is also a good idea to leave instructions on importing your public key and verifying tags in the tag message.

Create a GPG key

If you don’t have a GPG key pair yet it’s about time to create one. If you’re in doubt most likely you don’t have any but it’s always a good idea to check your list of GPG keys.

$ gpg --list-keys

If you need to, generate a key. Choose the RSA algorithm if you can as DSA only supports up to 1024 bits.

$ gpg --gen-key

As you see using GPG and signing Git tags is really simple, so there’s actually no reason not to sign your tags.

So go and sign and verify!
 

Reference: Signing Git tags from our JCG partner Bart Bakker at the Software Craft blog.

Do you want to know how to develop your skillset to become a Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

JPA Mini Book

Learn how to leverage the power of JPA in order to create robust and flexible Java applications. With this Mini Book, you will get introduced to JPA and smoothly transition to more advanced concepts.

JVM Troubleshooting Guide

The Java virtual machine is really the foundation of any Java EE platform. Learn how to master it with this advanced guide!

Given email address is already subscribed, thank you!
Oops. Something went wrong. Please try again later.
Please provide a valid email address.
Thank you, your sign-up request was successful! Please check your e-mail inbox.
Please complete the CAPTCHA.
Please fill in the required fields.

Leave a Reply


× six = 6



Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy | Contact
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.
Do you want to know how to develop your skillset and become a ...
Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

Get ready to Rock!
You can download the complementary eBooks using the links below:
Close