GPG signed git commits and tags for fancy GitHub integration

Fancy things are a driving factor.

Thus recently GitHub drove me to add gpg signatures to (first) tags and now to commits in general.

The reasons is that those tags and commits stick out by getting a verified tag. You can see the small greenish box with “Verified” on the right hand side:

You need a couple of things to get there:

1. Make sure to install dnf install gnupg2 on Fedora.

2. A GPG key

3. Associating your email with the key

4. Uploaded GPG key in GitHub

5. Configure (gpg-agent) and git to sign your commits

All of this is nicely documented at GitHub - kudos for this documentation.

Once the basics are setup, you can use this for signing commits and tags.

For tags I went a little step further and looked into git-evtag which is using a stronger hash and also recursing over submodules. The primary reason for this was to allow using the git tree as a primary artefact for code delivery. Which is appropriate sometimes, but not always.

And with all of this, you also get the fancy verified labels on release, as here:

::: {#footer} [ August 28th, 2017 2:45pm ]{#timestamp} [git]{.tag} [fedora]{.tag} [github]{.tag} [gnupg]{.tag} [gpg]{.tag} :::