Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:114017
Return-Path: <jakub.php@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 24820 invoked from network); 10 Apr 2021 18:21:55 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 10 Apr 2021 18:21:55 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id D42201804B3
	for <internals@lists.php.net>; Sat, 10 Apr 2021 11:21:59 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <jakub.php@gmail.com>
Received: from mail-vs1-f46.google.com (mail-vs1-f46.google.com [209.85.217.46])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 10 Apr 2021 11:21:59 -0700 (PDT)
Received: by mail-vs1-f46.google.com with SMTP id v29so4578121vsi.7
        for <internals@lists.php.net>; Sat, 10 Apr 2021 11:21:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=HDMIZNAn19L9RbMgsj8EH+XYHzXcmIlB2CINVy/jJgw=;
        b=BwXDKwB1Iv7iGjvfWcsvSzlKo+C7SO/xSdyOkyXIAda7AonC++L730IpZw0kph1dqK
         NmL9fJTaB2iBdW6KIaRqFmce0iBACDBluVxspE6OpQyFCNQF15icxTI7pm5zhpNEgthf
         x0xtQ8IBL1uJe9EhH0xhutDuY+Km0j9Ju0WqvTGnVPiYa/qczKxXwDtCDSWgeNaVhfiC
         84ICW/a5slPM9KK06Qq8sxTLPokq6+8IKXpWak4g6qJVgH/Z8OOPqka/x2RXicXK+gsW
         DuItpX5i9TVvKbKdKNIHWeYtxMIO+GameDvwcpZRxPI1usWRKXefG0uQMZHzE4tW6a5V
         IcQw==
X-Gm-Message-State: AOAM530HL9j8r84u3WG+gpAYoUPg0XxSw3C4BFtjaRxfhD1U13iNJjKR
	45wSXoTpM9yLDXPRyVIXL+DxFh7koBh7sLmwvlg=
X-Google-Smtp-Source: ABdhPJxJSGsCwC1od4W4RktMkmqGwgaK7L2AwY9XROAu65AqAUEA6P0Ihf3+sfRtOl+heERQTsjruGi7T0V2xqbsxYQ=
X-Received: by 2002:a05:6102:d0:: with SMTP id u16mr15794223vsp.28.1618078918335;
 Sat, 10 Apr 2021 11:21:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAF+90c9A6zG-nYzc3NNtWGjN7y5FmwqnYzjq6GSFC5NtRsOT0w@mail.gmail.com>
 <CAN2symg2SueEONzMRndsWEhj6anXmeAQwKg+HzKh-o61bcP0Qg@mail.gmail.com>
 <CAESVnVoPEitSCzmrAR2pRY4zUp4WEBc3a1b3q4H_uh1q8ebVWw@mail.gmail.com>
 <CAEYWF=71sahVwiaPEAYMCfLd+fgZ5FA24bS-LCtzxNW==9H=xg@mail.gmail.com>
 <c0849f5f-4233-d0f1-d00d-29840459070b@gmail.com> <CAEYWF=5PE9MKt_zxU8u+Mv0oHz_Stw3_vVNe1BWfO-5mZ7ab5g@mail.gmail.com>
In-Reply-To: <CAEYWF=5PE9MKt_zxU8u+Mv0oHz_Stw3_vVNe1BWfO-5mZ7ab5g@mail.gmail.com>
Date: Sat, 10 Apr 2021 19:21:47 +0100
Message-ID: <CAEKnhAGagh5pqr8ofSix0kkbi3J-DJGf=2ZbjSB7WDAu-Ydn7A@mail.gmail.com>
To: Bishop Bettini <bishop@php.net>
Cc: Rowan Tommins <rowan.collins@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000255fe805bfa25b58"
Subject: Re: [PHP-DEV] Changes to Git commit workflow
From: bukka@php.net (Jakub Zelenka)

--000000000000255fe805bfa25b58
Content-Type: text/plain; charset="UTF-8"

On Thu, Apr 1, 2021 at 3:21 PM Bishop Bettini <bishop@php.net> wrote:

> On Thu, Apr 1, 2021 at 9:22 AM Rowan Tommins <rowan.collins@gmail.com>
> wrote:
>
> > On 01/04/2021 05:54, Bishop Bettini wrote:
> > > I've documented why we need signing, and how to set it up:
> > >
> > > https://wiki.php.net/vcs/commit-signing
> > >
> > > Feedback welcomed!
> >
> >
> > This looks great, and very easy to follow.
> >
> > One edit I would strongly suggest though:
> >
> > Remove the "Passphrase:" line from the --generate-key command, so that
> > gpg will prompt interactively for the passphrase using the same entry as
> > it will use later when signing. You should never include a password or
> > passphrase in a command if you can avoid it, as it will be visible on
> > your screen, and stored in plain text in your shell history.
> >
> >
> > Some additional tips that might be worth adding:
> >
> > As an advanced setup suggestion, "gpg --full-generate-key" launches a
> > wizard with a couple of extra prompts.
> >
> > If you're on Ubuntu and don't have a new enough git (e.g. 18.04LTS ships
> > with 2.17.1), there is an official PPA to upgrade it; just run: "sudo
> > add-apt-repository ppa:git-core/ppa && sudo apt update && sudo apt
> > install git"
> >
> > Before pushing to github, you can verify the signature on a commit
> > locally with "git show --show-signature HEAD", or similarly for a tag by
> > passing the tag name.
> >
>
> Excellent suggestions. I've updated the guide with these.
>
> I also added a FAQ.
>
> https://wiki.php.net/vcs/commit-signing
>
>
Nice! It would be great if we start enforcing that. I finally set it up
too. I should have done it long time ago considering that I have been
maintaining gnupg extension for some time. :)

I think it's better to always use subkey for signing commits so that might
be good to add to the tutorial. Also RSA is getting a bit heavy with big
keys so it might be also good to suggest using ECC (e.g. EdDSA) which is
faster and possibly more secure. Although it's still in expert settings but
it works fine and a good tutorial can be found here
https://dev.to/benjaminblack/signing-git-commits-with-modern-encryption-1koh
.

Regards

Jakub

--000000000000255fe805bfa25b58--