Tuesday, August 27, 2019

Git Tower 3.5

fournova:

GPG is a collection of tools that allow signing and encrypting of data using asymmetric cryptography (with public / private keys). Git uses GPG to sign and verify commits and tags. With such a signature, you can easily verify that a commit (or tag) was really made by a specific user.

[…]

Tower indicates directly in its History views if a commit was signed or not. On top of that, you can also see the signature status (green / orange / red) and access additional information through a popover window.

[…]

Apart from commits, you can also verify the signatures for tags in Tower. Either right-click on the tag in the sidebar or directly click it in one of the commit views.

[…]

You can configure if you want Tower to automatically sign new commits - either just in a certain repository or globally.

It’s great that Git supports signing, but I simply don’t hear much about it.

4 Comments RSS · Twitter

> It’s great that Git supports signing, but I simply don’t hear much about it.

GtiHub exposes it with a “verified” badge. Even before that, it was somewhat common in the OSS word for signing tags, ensuring integrity of releases. I don’t see much point in signing every commit, but signed release tags are a good thing to finally have in Tower (assuming you can sign them, not just verify; I wouldn’t be surprised if they omitted that part).

> but signed release tags are a good thing to finally have in Tower (assuming you can sign them, not just verify; I wouldn’t be surprised if they omitted that part).

I have good news! The release includes this as well. You can even select the key that should be used to sign a tag in the "Create Tag" dialog. It also works when finishing release and hotfix branches via git flow.

> It’s great that Git supports signing, but I simply don’t hear much about it.

It's becoming more and more popular and support for GPG ended up being one of the most requested features from our users.

@VS From the linked page:
> Signing Tags
> Apart from commits, you can also sign tags. The "Create New Tag" dialog contains a checkbox for this.

So yeah, you can definitely sign tags in Tower 3.5.

@Julian Yes, perhaps there will be a self-reinforcing cycle as the tooling, like Tower, improves so that more people are aware of it and are able to do it easily.

Leave a Comment