This is a bit of frustration post. I’m not a professional and some stuff is super confusing. And it might not even be programming only, as this seems to be a general issue when it comes to signing and security in computers. Every time I have to reinstall my operating system (its really only a few times in a decade), one of the things i fear most is signing into Github, signing keys and setting up local git on my Linux machine. I want the verified badge. Every time its a fight in understanding and doing the right steps, creating gpg keys and access tokens and such.
Am I the only one who struggles with this? Right now I have set it up and my test repository has the badge again. Do people care about this? Especially people like me who does a few little CLI and scripts and nothing else. Am I doing enterprise level security for the sake of an icon or is this really more secure? I do not have ANY professional background. As said I seem to have setup correctly now, so this is not asking for troubleshooting. Just wanted hear about your opinion and experience, and if any of you care.
It’s one of several reasons I moved to another platform. The amount of faff wasn’t worth it for the few projects I fiddle with.
this is a security thing, not a taft thing. you don’t need to sign commits to push them
plus gitlab and sourcehut are so much better
OP asked for:
Just wanted hear about your opinion and experience, and if any of you care.
I found the level of security required for basic functionality to be a hindrance. For small personal projects it felt like squashing a fly with a sledgehammer. A remote repo that is too much hassle to use is functionally the same as not using one.
plus gitlab and sourcehut are so much better
I think I’ll just edit out a mention of the platform I moved to. I wasn’t advocating for it. To be a bit more constructive - what makes those alternatives better?
Commit signing is not required for any functionality, unless you opt-in to some repository setting which you have to find for yourself first.
These alternatives have vastly better UI that also layout the screen much more efficiently and have more features. I find it much easier to locate information on platforms that aren’t Forgejo/Codeberg. Sourcehut’s federation through email also just works.
How often are you reinstalling your OS? Maybe that’s where your frustration should go.
yk you can backup your passphrase-protected gpg keys in one simple copy/paste command?
GPG keys
There’s your problem right there. Like, really. Use SSH keys for this, it is infinitely easier to deal with.
That has been my experience as well. Signing with SSH keys has been way easier to maintain over time than GPG. Plus you can use the same key to sign that you use for authentication to simplify system setup.
In my work organization, we don’t allow pushes from users that have not signed their commits. We also frequently make use of git blame along with git verify-commit. For this reason, we have most new developers at any level create a GPG key and add it to their GitHub profile shortly after they join or organization. We’re a medium-sized FinTech organization though, so it’s very important we keep track of who is touching what.
That said, I can’t see it being all that important to an individual unless they’re very security-focused. For me personally, I have multiple yubikeys and one is meant specifically for SSH authentication and GPG operations including signing commits. Since I use NixOS and home-manager, I use the programs.git module to setup automatic signing and key selection. I really haven’t touched it at all in years now. It was very “set it and forget it” for me.
