Cacher is the code snippet organizer for pro developers

Article: http://mikegerwitz.com/papers/git-horror-story

Theory

• faking other user's commits is easy with --author flag $ git commit --author='Foo Bar <foo@bar.com>' -m 'some commit'

• signing commits ensures:

  • someone else can't commit as myself
  • I really commited all the commits I sign

Commands

list gpg keys $ gpg --list-secret-keys

sec 4096R/8EE30EAB 2011-06-16 [expires: 2014-04-18] ^^^^^^^^

• sec line, highlighted letters should be taken

specify gpg key with git $ git config --global user.signingkey 8EE30EAB

commit and sign a commit $ git commit -S -m 'msg'

• it's just the -S flag

• it will prompt for gpg key password

• showing commit signatures $ git log --show-signature

• with this - git authomatically check whether the signature is good!

log --pretty=format flag: %G?

signed tag $ git tag -s v1.0.0 -m 'msg'

• to verify the tag $ git tag -v v1.0.0

reviewing and signing each commit

• commit author is not changed!
• commit SHAs will change!

1. rebase $ git rebase -i HEAD~x

2. set all commits to e or edit

3. reviewing a commit

• $ git diff HEAD^

1. signing a commit (again, does not change commit author) $ git commit -S --amend -C HEAD

2. continue till the end $ git rebase --continue

signing a merge

• to assert I'm the one that performed a merge
• does not assert integrity of each commit

$ git merge -S --no-ff