Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:113907
Return-Path: <rowan.collins@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 51624 invoked from network); 1 Apr 2021 13:24:17 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 1 Apr 2021 13:24:17 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 294F018050B
	for <internals@lists.php.net>; Thu,  1 Apr 2021 06:22:02 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <rowan.collins@gmail.com>
Received: from mail-ej1-f46.google.com (mail-ej1-f46.google.com [209.85.218.46])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu,  1 Apr 2021 06:22:01 -0700 (PDT)
Received: by mail-ej1-f46.google.com with SMTP id jy13so2874463ejc.2
        for <internals@lists.php.net>; Thu, 01 Apr 2021 06:22:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding:content-language;
        bh=b5wePb/5Vln55FKBXLI2jt1ypQwgEParGbcba6jJggU=;
        b=hZz8q+5KKXHGN5HYXGYArBMWtZ8b9d1H/KGT199qfyc+kMoVvdAEh/BgwpMErZbuRR
         bgUkZY2V4aFHfG+GKHH+UVHUAy/XRDwgwnV76v5a8WIyl2eaRTqxP2fT0t13SJj9qqWL
         eOOz5PjnA3FIKGS+lLbQvzCJg1Kt/42aWUcnzhA6eJUZCACfa7du4Kpb86O4KXU3TWSL
         hIc3PIZuW1KTMY9E1kbyC2b0UbH000MgK1mC5mgUWIhV1yl7j3Y5VFtcWF0f7MkUKmbJ
         hrJBS2tKc+zCY4Rlgqu76xfxdfiSnvVFHimJxjQ7zhTKwHDDLSHUEeARshWCs8TDcquK
         A9dA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding
         :content-language;
        bh=b5wePb/5Vln55FKBXLI2jt1ypQwgEParGbcba6jJggU=;
        b=Gd5FlKr4v4Co/aYogK0FbyW7HU1Q1Ibrw+CBJP1iS8X0gTPcjMHtJBlE7XhQpVnQdw
         2deXzAnRCkxrGOA1enTZtIfqpaENldTBRgdXNyKJgz+7jIHTkIeH5l7FlJy/e+CTQF3c
         Brz0HYIka9JJWA69IWZpLKa06dpJmFVhB3lRvQfYxJUvDeW688ejO1oNNfzAE7MlU8dZ
         tsz/4q7ktKcVDNdNGJoHjcrDXo7ZV6IFGqHFUoKFHEDKM87FflllJZxZewVAGR2PWcm5
         zdzyN42d+mFQh9XhGEO1p2QeABlNsTUDANwJ8g3lynFWv5KoO0ozP2XlBLIincA2KrP2
         rn3w==
X-Gm-Message-State: AOAM531/lUDvgFIEgOT60Xo8dicB20TfgNGgBUhdApEWhJTwdTwFaY1E
	ublxUOl+SHLb21Mjgvaa1qK0EBIrKzI=
X-Google-Smtp-Source: ABdhPJyBuz3Ww46llxCwQ01Q2hYZqbmB+LuXnflCu1X7fxjmk4sMWD4x0DbIFdCCyv9CP3b05o3QKw==
X-Received: by 2002:a17:906:a049:: with SMTP id bg9mr9167711ejb.186.1617283318902;
        Thu, 01 Apr 2021 06:21:58 -0700 (PDT)
Received: from [192.168.0.22] (cpc104104-brig22-2-0-cust548.3-3.cable.virginm.net. [82.10.58.37])
        by smtp.googlemail.com with ESMTPSA id f21sm2726819ejw.124.2021.04.01.06.21.58
        for <internals@lists.php.net>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 01 Apr 2021 06:21:58 -0700 (PDT)
To: internals@lists.php.net
References: <CAF+90c9A6zG-nYzc3NNtWGjN7y5FmwqnYzjq6GSFC5NtRsOT0w@mail.gmail.com>
 <CAN2symg2SueEONzMRndsWEhj6anXmeAQwKg+HzKh-o61bcP0Qg@mail.gmail.com>
 <CAESVnVoPEitSCzmrAR2pRY4zUp4WEBc3a1b3q4H_uh1q8ebVWw@mail.gmail.com>
 <CAEYWF=71sahVwiaPEAYMCfLd+fgZ5FA24bS-LCtzxNW==9H=xg@mail.gmail.com>
Message-ID: <c0849f5f-4233-d0f1-d00d-29840459070b@gmail.com>
Date: Thu, 1 Apr 2021 14:21:58 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <CAEYWF=71sahVwiaPEAYMCfLd+fgZ5FA24bS-LCtzxNW==9H=xg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
Subject: Re: [PHP-DEV] Changes to Git commit workflow
From: rowan.collins@gmail.com (Rowan Tommins)

On 01/04/2021 05:54, Bishop Bettini wrote:
> I've documented why we need signing, and how to set it up:
>
> https://wiki.php.net/vcs/commit-signing
>
> Feedback welcomed!


This looks great, and very easy to follow.

One edit I would strongly suggest though:

Remove the "Passphrase:" line from the --generate-key command, so that 
gpg will prompt interactively for the passphrase using the same entry as 
it will use later when signing. You should never include a password or 
passphrase in a command if you can avoid it, as it will be visible on 
your screen, and stored in plain text in your shell history.


Some additional tips that might be worth adding:

As an advanced setup suggestion, "gpg --full-generate-key" launches a 
wizard with a couple of extra prompts.

If you're on Ubuntu and don't have a new enough git (e.g. 18.04LTS ships 
with 2.17.1), there is an official PPA to upgrade it; just run: "sudo 
add-apt-repository ppa:git-core/ppa && sudo apt update && sudo apt 
install git"

Before pushing to github, you can verify the signature on a commit 
locally with "git show --show-signature HEAD", or similarly for a tag by 
passing the tag name.


Regards,

-- 
Rowan Tommins
[IMSoP]