Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Wn5Yf-0001x8-RT for bitcoin-development@lists.sourceforge.net; Wed, 21 May 2014 12:23:45 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.213.179 as permitted sender) client-ip=209.85.213.179; envelope-from=laanwj@gmail.com; helo=mail-ig0-f179.google.com; Received: from mail-ig0-f179.google.com ([209.85.213.179]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1Wn5Ye-0004hC-4H for bitcoin-development@lists.sourceforge.net; Wed, 21 May 2014 12:23:45 +0000 Received: by mail-ig0-f179.google.com with SMTP id hn18so2002403igb.6 for ; Wed, 21 May 2014 05:23:38 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.43.155.16 with SMTP id lg16mr17506060icc.65.1400675018529; Wed, 21 May 2014 05:23:38 -0700 (PDT) Received: by 10.64.22.168 with HTTP; Wed, 21 May 2014 05:23:38 -0700 (PDT) Date: Wed, 21 May 2014 14:23:38 +0200 Message-ID: From: Wladimir To: Bitcoin Dev Content-Type: text/plain; charset=UTF-8 X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (laanwj[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1Wn5Ye-0004hC-4H Subject: [Bitcoin-development] PSA: Please sign your git commits X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2014 12:23:46 -0000 Hello all, When you're contributing to Bitcoin Core development please sign your git commits. This is easy to do and will help in assuring the integrity of the tree. How to sign your commits? ------------------------------------------ Provide the `-S` flag (or `--gpg-sign`) to git commit when you commit your changes, for example git commit -m "Commit message" -S Optionally you can provide a key id after the -S option to sign with a specific key. What if I forgot? ------------------------- You can retroactively sign your previous commit using --amend, for example git commit -S --amend If you need to go further back, you can use the interactive rebase command with 'edit'. Replace HEAD~3 with the base commit from which you want to start. git rebase -i HEAD~3 Replace 'pick' by 'edit' for the commit that you want to sign and the rebasing will stop after that commit. Then you can amend the commit as above. Afterwards, do git rebase --continue As this will rewrite history, you cannot do this when your commit is already merged. In that case, too bad, better luck next time. If you rewrite history for another reason - for example when squashing commits - make sure that you re-sign as the signatures will be lost. How to check if commits are signed? ------------------------------------------------------- Use git log with show-signature, git log --show-signature commit 6fcdad787f1fb381a3a0fe6b1a1e45477426dccb gpg: Signature made Wed 21 May 2014 12:27:55 PM CEST using RSA key ID 2346C9A6 gpg: Good signature from "Wladimir J. van der Laan " Author: Wladimir J. van der Laan Date: Wed May 21 12:27:37 2014 +0200 qt: Periodic language update ... You can also pass the --show-signature option to `git show` to check a single commit. If you do this on the current repository you'll see that I'm almost the only person signing commits. I would like more people to get into this habit. How to sign merges? -------------------------------- When using the github interface to merge a pull request, the resulting merge commit is not signed. Pieter Wullie wrote a script that simplifies merging and signing. It can be found in contrib/devtools. Setup instructions can be found in the README.md in that directory. After setting it up for the repository you can use the script in the following way: contrib/devtools/github-merge.sh 1234 Replace 1234 by the pull request number that you want to merge. It will merge the pull request and drop you into a shell so you can verify changes and test. Once satisfied, exit the shell and answer the questions to merge and sign it and push upstream automatically (or not). Please use this script when possible for merging instead of the github interface. -------------------------- Wladimir