Have you ever run into a situation where Git just refused to obey your commands? No, I’m
not talking about that time you “typo-ed” git commit and ended up git reset --hard-ing
your repository back to the dawn of the universe, I’m talking about it really, truly,
I have, so let me tell you a story about what happened and how I fixed it so that you can
avoid future hair-loss and avoid questioning the nature of your reality.
With the increasing popularity of Git as a tool for open source collaboration,
not to mention distribution of code for tools like Go, being able
to verify that the author of a piece of code is indeed who they claim to be
has become absolutely critical.
This requirement extends beyond simply ensuring that malicious actors cannot
modify the code we’ve published, something GitHub and its kin
(usually) do a very good job of preventing.
The simple fact is that by adopting code someone else has written, you are
entrusting your clients’ security to them - you best be certain that trust
is wisely placed.
Using Git’s built in support for PGP signing and pairing it with
Keybase provides you with a great framework on which to build and
verify that trust. In this post I’ll go over how one sets up their development
environment to support this workflow.