Microsoft MVPDNN MVPXamarin Certified
I'm Andrew Hoefling, and I work for FileOnQ as a Lead Software Engineer building mobile technologies for Government, Financial and First Responders using Xamarin.
It is a good practice to sign your source control commits especially if you work in Open Source Software. On popular Open Source platforms it is very easy for someone to impersonate you by using your name and email address. Those impersonated commits will then end up linking to your account. The easiest way to prove identity is by signing your commits which will add a nice little verified badge next to each commit.
Before you can get started with signing your commits you need to create the necessary keys and install them onto your GitHub profile and onto the computer(s) you plan on working from.
There is a great tutorial on how to get this up and running in the GitHub Docs
If you make any secured commit with your configured GPG Key, do not ever remove it otherwise the commits will no longer show up as verified. Even if you don't use those keys anymore.
Once you have your computer and GitHub accounts configured you can start signing commits the easy way.
git commit -S -m "This is a secure message"
Breaking down the command there is 1 new parameter that gets passed to the commit command.
If you don't pass the -S flag to the commit command your commit will be unsigned.
As a .NET developer I am constantly working with tools such as Visual Studio and Visual Studio Code. These tools do not have any built-in support for GPG Signing of commits. The commands being passed by the IDE excludes the -S flag to securely sign your commit.
To get your IDE to always sign your commits you just need to update the configuration file to force:
gpgsign = true
$ git --edit
[commit] gpgsign = true
Now go ahead and make a commit with any editor and the gpg password window will popup asking for your password before you proceed with your commit
Here is an example configuration file
[core] repositoryformatversion = 0 filemode = false bare = false logallrefupdates = true symlinks = false ignorecase = true [remote "origin"] url = https://github.com/HoeflingSoftware/Xamarin.TitleViewSample.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master [commit] gpgsign = true [user] name = Andrew Hoefling email = [email protected]