This morning I got inspired by Phil Haack’s post on proving the identity of package authors. How can you know people are who they say they are online? A step of the way is a social proof, that is you link your identity on many different services together, thus increasing the certainty that you are you for every service added.
The place to tie these identities together is Keybase.io.
So not only did I install and join Keybase, I decided to begin signing my Git commits with my PGP-key. Signed commits on GitHub gets a nice Verified badge when the key used to sign the commit matches that registered on the given user’s profile.
This increases the public’s confidence that the commit was indeed submitted by the actual person, and when this again can be verified on services like Keybase we’re almost there.
Setup commit signing
The following is a guide to setup automatic signing of commits on macOS. It even works with the GitHub Desktop app!