How to produce signed and verified GitHuh commits

With a number of configuration steps you can produce signed and verified GitHub commits from Glamorous Toolkit.

GitHub commit signature verification is described in https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification

The reason signatures and verifications are useful is because the git config options user.name and user.email can be set to anything.

Use Libgit-CLI

The functionality described here is only available through the Libgit-CLI implementation. See Using Libgit-CLI as an alternative to Libgit2 FFI in Iceberg for installation and setup instructions.

Setup

The simplest route is to upload your SSH key again as signing key and set 2 git config options:

git config --global gpg.format ssh

git config --global user.signingkey /full/path/to/your/key

Now enable the signing of commits in IceGitCliPlatform Object subclass: #IceGitCliPlatform instanceVariableNames: 'gitExecutable signalClass signCommits' classVariableNames: 'current' package: 'Iceberg-Git-CLI-Support'

IceGitCliPlatform current signCommits: true
  

This basically adds the -S option to git commit operations.

You can verify your settings by looking at the Details and Config inspector views of the current platform and by running the Validate action.

IceGitCliPlatform current
  

In the GitHub web interface, properly signed commits are marked as verified using a green label.

Here is an example of a signed and verified commit: https://github.com/feenkcom/gt4git/commit/dcc47828dd932e059c8315e918e791f1b99f117c