Verify Signed Age with airSlate SignNow

Verify signed signature

hey everyone welcome back to web inspect I am Timothy Miller your host and today we're going to talk about another handy security thing that key bass makes easier so today we're going to learn about signing commits in get and pushing them up to github where we can where we can verify that we have signed them and that everything worked out as well as it should and this is actually kind of a big personal victory for me because I used to I used to work well let me show you what it looks like first so if we come in here this is what its gonna look like so when you push a commit like this a compress it message to github it'll tell you right here that it's been verified and you can click on this and it'll show you it's been signed by a verified signature so what this does is it essentially tells anyone who's looking at your comments it gives them the ability to verify that it was actually you that you are actually who you say you are so and this is something that key base makes a little bit easier for us now as I was saying this is kind of a personal victory for me I used to work on a fairly large team of developers we all worked on the same website that were probably there were over a dozen of us working on the same website and I was the main I was the main front-end guy I was the lead all of the main front-end decisions went through me anyone who wanted to make a big decision about the front end had to talk to me first so I was the main front-end guy and there was another guy who was a back-end programmer but also knew a fair amount about front-end he knew just enough to be dangerous and he would always question every decision I made and I always had good rationale behind my decisions so it wasn't that big of a deal but I was always slightly intimidated by him I never really knew what to expect from him and one thing that he would do that kind of annoyed me at the time was he set up his get pushes so that they would be signed and here to have this green verified button next to all of his commits and none of the rest of us did and it kind of seemed like a power move to me I I don't know if that's actually what it was but it's kind of what it seemed like it made made me feel bad that I somehow wasn't able to do this thing but now I can do this thing and it's really not as difficult as I thought especially when using key base here's a really handy article github written by this guy P Stadler and he has this github repository key base GPG github and it is a compendium of information on how to do it exactly this and he does go through setting up your GPG key which we've already talked about there's a video that we did I'll link it up above so assuming you've gone through our GPG video this is actually a fairly simple process so we can come down to setup get to sign all commits and what we want to do is there are two things we have to do we have to tell github what our public key is for GPG and that tells github that gives github a way of verifying your signature then we have to tell get on our local system how to sign those things and how often we want to sign those things so that's what this is doing here this is setting up your local get so get config and you set up this user signing key and you give it this so if we come into our terminal here we can do GPG list secret keys we run this command and it gives us all this all this information all you need from this is your ID which you can see this RSA 4096 a slash it's everything after that slash so the copy this and then we've got these two commands here get config user signing key so that's where we're going to paste that so get config global user dot signing key and you paste that ID from your GPU key in there and just like that you've told get how it's going to sign your commits so the second command is kind of optional this is telling it that you want to sign every commit and you don't necessarily have to do this sometimes this gets in the way I like to set this on a repository basis so I've got some repositories that I sign all of my things and some repositories where I don't and I set this on a local config on a local config basis so the way we do that is we would go to a git repository that we want to assign all of the commits for so I've got this code challenges code repository so we do get config commit dot GPG sign true and that sets it just for this one repository so it doesn't force you to sign all of your commits but it does expect you to sign your commits for this one repository that's the way I prefer to do it you can also sign commits on a commit by commit basis by using the S flag so get commit s and that will sign your commits also but I generally like to do it per repository so now that we've got that set up we need to set up our GPG key on github itself so github can know that we are signing it with the correct Heat so we go to our settings in github here and we scroll down to ssh and GPG keys and you can see i've got a bunch of stuff in here but GPG keys has its own special section we click new GPG key and then we want our public key block and if we switch back to this article it actually gives us like instructions for how to do that key base PGP export cue paste that key and then copy it to your clipboard so and that copies your public key to your clipboard and then you just come over here paste that in here at it I have we added it but that's the process you go through it'll ask you to enter your password and then you'll have it added to your github account just like that easy as that now the rest of this article is mostly a troubleshooting stuff this is if you want to put your key on another computer this is all these different options that you may or may not need so these are things that could be useful for you I didn't really use any of these things but they could be useful so I'll link this article below so you can see it and read through it if you need to another thing that I should tell you when I was running through this the first time when I was setting this up I was having trouble because when I would when I would try to sign a commit it would give me this error GPG failed to sign the data and failed to write commits object and I think it was doing that because I had multiple versions of GPG installed and it was a little bit difficult to sort all of that out here's a really good stack overflow that kind of helps with some of this stuff but what they actually suggest didn't end up working for me what I actually had to end up doing was installing or brew install GnuPG like that and it gave me it told me that wasn't installed already so I had to install that and then it told me that I needed to link it up and I linked it up and then I uninstalled and install GPG oh actually I did this the other way around I uninstalled GPG and then I installed the GnuPG and I linked GnuPG up and that seemed to fix my problems so maybe that'll help you if not the stack overflow has a lot of really good troubleshooting methods for you if you have troubles with this but ultimately after you have given github your public key and after you have set up your local get to use that that same key then it should start working and one good way to test it which is actually what I did over here is to do get commit allow empty and this allows you to create an empty commit message so and then I'll just go another test for assigning commits and then you write and quit because this is vim and you can see it worked so you can see when you commit it it doesn't actually tell you that it signed it so that's a little bit mysterious there actually a couple ways that you can check and make sure that you you signed it so if I do get log and grab this commit ID then you can actually run a command which is get commit verify ah no I got it backwards so it's get verify commit and then you paste that idea in there and it will tell you there's a signature and it's a good signature from me that's one way you can do it you can also just push it up to github and if you're using github for this reload your page and you can see the nice pretty little green button and this makes me proud to be one of the smart ones you can sign his commits now why would you do this I'm honestly not quite sure I I know I'm sure you would do this in situations where you work for a large company with a corporate target on its back and you have a lot of hackers potentially trying to insert malicious code into your repositories then signing your commits can probably be a really good idea because then you can make sure that every commit that comes into your system comes from exactly where you think it does so that's a good thing it's a good security thing I'm sure there are more reasons to this more reasons that I as not really a guru security person could tell you but we live in a time of lots of leaked passwords all over the place and lots of leaked data and the very flimsy database is full of passwords that that hackers have gained access to you and probably a lot of your passwords have been compromised in the past past so every little bit of extra level of security is going to benefit you more than it is going to hurt you so I highly recommend you guys to do this whether you use the signature or not it's good to have that set up good to have the ability to sign your quits and like I said key base just makes it so easy so that's all for today guys I hope this is useful to you if you like what we're doing here give us that thumbs up and we will be back with another tooling Tuesday next week guys remember this stuff is complicated but you can do this too don't get discouraged don't stop learning bye