The only way to certify that a Git Commit is made by you is to digitally sign with a GPG key (or RSA key even if it is less common). Thanks to your yubikey you can keep your GPG securely with you in your Yubikey so you can always sign commit in any computer.
In this video I'll demonstrate how you can configure Git on Windows to sign all commit with the GPG key you have in your Yubikey.
A recap of the steps
1. Configure gpg program in git: git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"
2. List all the keys to find the one you need to use: gpg --list-secret-keys --keyid-format=long
3. Configure the sign key globally (or locally to the repo): git config --global user.signingkey key-id-from-previous-command
4. Tell git to sign EVERY commit: git config --global commit.gpgsign true
▬ Contents of this video ▬▬▬▬▬▬▬▬▬▬
00:00 - Introduction to YubiKey and GPG functionalities
01:17 - Setting up GPG on Windows
02:01 - Configuring Git to sign commits with YubiKey
03:11 - Identifying and configuring the key for signing commits
03:55 - Demonstrating a commit signing process
05:10 - Verifying the signed commit
06:21 - Importance of commit signing and YubiKey security
07:34 - Adding the GPG key to GitHub
09:37 - Troubleshooting unverified commits
11:02 - Correcting email configuration for commit signing
13:51 - Conclusion and closing remarks
29 июл 2024