Over the last year I’ve been trying to understand why GPG isn’t popular. Based on the features I think it’s a pretty valid thing. This article changed my mind.
Turns out GPG is too old ¯_(ツ)_/¯
I like signing my commits, it feels good to know that my identity is actually attached to my code. So I put in some work to reconfigure git to use a different signing tool, I didn’t think it would be such a big deal, turns out git fully intergrates GPG. I’m confused. Why does git need to be hardcoded to use GPG specifically?
What rule says we can’t have git configs like:
[sigining]
defaultMethod=minisign
[signing.minisign]
always=true
signCommand=minisign -S -s {secret-key-file} -x {sig-file-name} -m {target-file}
verifyCommand=minisign -V -P {public-key-file} -m {target-file}
Where the verifyCommand exits 0 if the signature is good and 1 if not.
I’m open to hearing cons. These are some I can think of:
- User’s have to configure git with each signing and verifying program
- Upstream security conserns from signing programs
- Signing programs changing their interfaces
There was a proposal to add universal signing to Git in 2021, but I think it went nowhere for various reasons (like breaking SHA-1 <-> SHA-256 signing interoperability, if I understand the discussion correctly).
That’s kind of a bummer