home/docs/pgp.md
2023-11-29 03:35:56 +00:00

124 lines
5.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# signing of our contributions
## Intro
- **Commits**: When you work on a project, especially with a team, you make changes to the code. These changes are saved in "commits". Think of a commit like a checkpoint in a video game it's a record of what your project looked like at a certain point in time.
- **Signing**: Imagine signing your commits is like putting a unique stamp on your checkpoint. This stamp proves that it was you who made the changes and that the changes haven't been tampered with since you made them.
### Why GPG Signing is Important
1. **Proof of Authorship**: GPG signing is like a digital signature. It's a way for you to say, "I made these changes, and you can be sure it was me." This is really important in projects where knowing who made specific changes is crucial for trust and security.
2. **Integrity of Code**: By signing your commits, you're also ensuring that the changes haven't been altered by someone else after you made them. It's like sealing your letter in an envelope if the seal is broken, you know someone else might have read or changed the letter.
3. **Building Trust in Open Source Communities**: In open-source projects, where many people from around the world contribute, GPG signing helps maintain a level of trust. It reassures everyone that the contributions are genuine and from known sources.
4. **Security Against Malicious Changes**: In a world where security breaches are common, GPG signing helps protect against bad actors who might want to inject harmful code into your project. If a commit isn't signed, or the signature doesn't match the person who's supposed to have made the commit, it's a red flag.
5. **Audit Trails**: In some environments, especially in professional or regulated settings, you might need a clear record of who did what and when. GPG signing provides a verifiable way to track contributions.
### In Simple Terms
Think of GPG signing like putting a unique, unforgeable autograph on your work. It helps everyone know that the work is genuinely yours and hasn't been messed with. This builds trust, especially when many people are working together, and keeps the project safe from tampering.
## Setting Up GPG Signing:
1. **Generate a GPG Key Pair**: If you don't already have a GPG key, you need to generate one. This is typically done using GnuPG tools:
```bash
gpg --gen-key
```
2. **Export the Public Key**: Once you have a GPG key, you need to export your public key and add it to your Gitea account:
```bash
gpg --armor --export your-email@example.com
```
Copy the output and add it to your Gitea user settings under "GPG Keys".
3. **Configuring Git to Sign Commits**: Configure your local Git to use your GPG key for signing commits:
```bash
git config --global user.signingkey YOUR_GPG_KEY_ID
git config --global commit.gpgsign true
```
Replace `YOUR_GPG_KEY_ID` with the ID of your GPG key.
4. **Sign Commits**: When you make commits, they will now be signed with your GPG key. You can also manually sign commits using the `-S` flag with `git commit`.
5. **Verification in Gitea**: Once you push your signed commits to a Gitea repository, Gitea will verify the signature and display a badge next to the commit indicating its verified status.
encrypted, enhancing the security of the system.
## how to get pgp
To install GPG (also known as GnuPG, which stands for GNU Privacy Guard and is often used interchangeably with PGP, or Pretty Good Privacy) on macOS, you can use a package manager like Homebrew. Here's a step-by-step guide:
### Installing Homebrew (if you don't have it already):
1. **Open the Terminal**: You can find the Terminal app in your `Applications` -> `Utilities` folder or by searching for it using Spotlight (`Cmd + Space`).
2. **Install Homebrew**: Paste the following command in the Terminal and press `Enter`. This command is taken from the Homebrew website:
```bash
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
```
- This script will explain what it will do and then pause before it does it. Read the explanations before proceeding.
### Installing GPG:
1. **Update Homebrew**: Make sure Homebrew is up-to-date by running:
```bash
brew update
```
2. **Install GPG**: Now, install GPG using Homebrew by executing:
```bash
brew install gnupg
```
3. **Verify Installation**: After the installation is complete, you can verify that GPG is installed correctly by typing:
```bash
gpg --version
```
This command should display the version of GPG installed on your system, along with other information.
### Additional Setup (Optional):
- **Generate a GPG Key Pair**: If you need to create a new GPG key for signing commits or other encryption purposes, you can generate a key pair with:
```bash
gpg --full-generate-key
```
- **List GPG Keys**: To list the GPG keys you have, you can use:
```bash
gpg --list-secret-keys --keyid-format LONG
```
- **Export Public Key**: If you want to share your public key (for example, to add it to a service like GitHub), you can export it with:
```bash
gpg --armor --export YOUR_GPG_KEY_ID
```
Replace `YOUR_GPG_KEY_ID` with the ID of your GPG key from the list you got from the previous command.
### Conclusion
Now you have GPG installed on your macOS, and you can use it for encryption, signing data, and verifying signatures. GPG is a powerful tool, so it's a good idea to read up on best practices for key management and security.
### Summary
- GPG signing in Gitea is used for ensuring the authenticity and integrity of commits and tags.
- SSL/TLS is employed to secure the web interface and repository access over HTTPS.
- Both methods are crucial for maintaining the security and trustworthiness of code hosted on Gitea.