Signing commits
To make the project as secure as possible, signed commits are now required to contribute to the project. Using signatures for commits on GitHub serves several important purposes:
- Authentication: it verifies the authenticity of the commit, ensuring that it was indeed made by the person claiming to have made it.
- Integrity: it ensures that the commit hasn't been tampered with since it was signed. Any changes to the commit after it has been signed will invalidate the signature.
- Trust: this ensures that all contributions come from trusted sources.
- Visibility: on GitHub, signed commits are marked with a "verified" label, giving users and collaborators confidence in the commit's origin and integrity.
GitHub offers an official documentation on the matter that can be followed to setup and sign commits properly. Exegol's documentation will sum it up briefly and link to it whenever it's needed.
While SSH (+ FIDO2) is preferred since it offers better multi-factor signing capabilities (knowledge + hardware possession factors), people that don't have the required hardware can proceed with GPG or SSH.
Generating a GPG key can be done by following GitHub's official documentation on the matter (generating a new GPG key). TL;DR, the commands look something like this:
# for the email, indicate your public email ([email protected]) from https://github.com/settings/emails
gpg --quick-generate-key "YOUR_NAME <[email protected]>" ed25519 sign 0
gpg --list-secret-keys --keyid-format=long
gpg --armor --export $KEYIDOnce the GPG key is generated, it can be added to the contributor's GitHub profile. Again, GitHub's documentation explains how to achieve that (adding a GPG key to your GitHub account).
Once the GPG key is generated and associated to the GitHub account, it can be used to sign commits. In order to achieve that, the contributor must configure git properly on his machine (telling git about your GPG key).
TL;DR: the commands look something like this to set it up for git CLI:
gpg --list-secret-keys --keyid-format=long
git config --global user.signingkey $KEYID
# (option 1) configure locally on a specific repo
cd /path/to/repository && git config commit.gpgsign true
# (option 2) configure for all git operations
git config --global commit.gpgsign trueTo set it up on IDEs, proper official documentations can be followed (e.g. GitKraken, PyCharm).
The contributor's GitHub account can be configured to mark unsigned commits as unverified or partially verified. While it's not mandatory regarding contributions to Exegol since the requirement is managed on Exegol repositories directly, it's a nice thing to do. See GitHub's documentation on Vigilante mode.