Better alternative to gpg in git? (programming.dev)

submitted 1 year ago by danhab99@programming.dev to c/ask_experienced_devs@programming.dev

2 comments fedilink hide all child comments

I got this article in a reply to a different conversation, and for the most part I agree with it. Gpg is old and we have better ways. I like signing my commits, I like feeling that these commits are actually and provably mine. But I'm not married to GPG like I used to be, I'd like a better way. The problem is that git used gpg for signing. I learned about this new thing called minisign and I wanna use it with git. So how do we switch? And if we can't switch, then how do we fix GPG?

all 4 comments

sorted by: hot top controversial new old

[-] JackbyDev@programming.dev 3 points 1 year ago

You say "how do we fix GPG" but what's wrong with GPG with regards to signing and verifying got commits?

As far as I know (which isn't a lot) got uses GPG directly and you can't have it use a different tool. It's not like using a different pager like less or cat, it uses GPG and makes assumptions about it.

[-] Skyzyx@lemmy.world 1 points 1 year ago

IIRC, GitHub.com and GitHub Enterprise support using SSH for signing. I think that whatever is used should leverage asymmetric/public-key cryptography.

Passkeys maybe?

this post was submitted on 04 Sep 2023

13 points (100.0% liked)

Ask Experienced Devs

1232 readers

1 users here now

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago

MODERATORS

Ategon@programming.dev