[FFmpeg-devel] [PATCH v2] doc/git-howto.texi: Document commit signing

James Almer jamrial at gmail.com
Tue Aug 9 22:38:56 EEST 2022 

On 8/9/2022 4:34 PM, Michael Niedermayer wrote:
> From: Michael Niedermayer <michael-git at niedermayer.cc>
> 
> Signed-off-by: Michael Niedermayer <michael-git at niedermayer.cc>
> ---
>   doc/git-howto.texi | 22 +++++++++++++++++++++-
>   1 file changed, 21 insertions(+), 1 deletion(-)
> 
> diff --git a/doc/git-howto.texi b/doc/git-howto.texi
> index 874afabbbc..48389751a4 100644
> --- a/doc/git-howto.texi
> +++ b/doc/git-howto.texi
> @@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions.
>   git add [-i|-p|-A] <filenames/dirnames>
>   @end example
>   
> -Make sure you have told Git your name and email address
> +Make sure you have told Git your name, email address and GPG key
>   
>   @example
>   git config --global user.name "My Name"
>   git config --global user.email my@@email.invalid
> +git config --global user.signingkey ABCDEF0123245
> + at end example
> +
> +Enable signing all commits or use -S
> +
> + at example
> +git config --global commit.gpgsign true
>   @end example
>   
>   Use @option{--global} to set the global configuration for all your Git checkouts.
> @@ -423,6 +430,19 @@ git checkout -b svn_23456 $SHA1
>   where @var{$SHA1} is the commit hash from the @command{git log} output.
>   
>   
> + at chapter gpg key generation
> +
> +If you have no gpg key yet, we recommand that you create a ed25519 based key as it

Recommend.

> +is small, fast and secure. Especially it results in small signatures in git.
> +
> + at example
> +gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human at server.com"
> + at end example
> +
> +When genarting a key, make sure the email specified matches the email used in git as some sites like

Generating

> +github consider mismatches a reason to declare such commits unverified. After generating a key you
> +can add it to the MAINTAINER file and upload it to a keyserver.

Maybe link some external documentation about gpg keys, explaining the 
difference between public and private keys, how to encrypt the private 
one with a passphrase, etc.
Sites like gitlab tell you to not attempt to upload private keys, so i 
imagine quite a lot of people have mistakenly done so in the past.

> +
>   @chapter Pre-push checklist
>   
>   Once you have a set of commits that you feel are ready for pushing,

More information about the ffmpeg-devel mailing list