This morning I got inspired by Phil Haack’s post on proving the identity of package authors. How can you know people are who they say they are online? A step of the way is a social proof, that is you link your identity on many different services together, thus increasing the certainty that you are you for every service added.
The place to tie these identities together is Keybase.io.
So not only did I install and join Keybase, I decided to begin signing my Git commits with my PGP-key. Signed commits on GitHub gets a nice Verified badge when the key used to sign the commit matches that registered on the given user’s profile.
This increases the public’s confidence that the commit was indeed submitted by the actual person, and when this again can be verified on services like Keybase we’re almost there.
Setup commit signing
The following is a guide to setup automatic signing of commits on macOS. It even works with the GitHub Desktop app!
I mostly use GitHub’s desktop client while working with GitHub repositories. This means that I get less exposure to the
git CLI (command line interface) commands than perhaps is healthy.
But sometimes even I need to go old school.
You’ll remember that I recently experienced a snag while working on the same dotnet script script(!?!) on two different machines. During the project, I updated dotnet script on one machine but forgot to do it on the other. I wrote in my post that the solution was just to remember to upgrade on all machines, but Bernhard recommended a better solution.