docs: add signing-commits guide to git workflow scenarios#115520
Open
lazizbekravshanov wants to merge 1 commit intofirstcontributions:mainfrom
Open
docs: add signing-commits guide to git workflow scenarios#115520lazizbekravshanov wants to merge 1 commit intofirstcontributions:mainfrom
lazizbekravshanov wants to merge 1 commit intofirstcontributions:mainfrom
Conversation
Add a beginner-friendly guide to signing commits: - Explain *why* signing matters (Git identity is self-reported; signing proves authorship; GitHub shows a Verified badge). - Lead with SSH signing, which reuses an existing GitHub SSH key and is the simplest path for new contributors (Git 2.34+). - Cover GPG as a secondary path for projects/employers that require it. - Show how to sign a single commit with -S when you don't want to sign everything. - `git log --show-signature -1` for verification, plus the common GPG_TTY gotcha when pin-entry fails in a terminal. - Note the commit-email requirement for GitHub to show Verified. Index entry added to additional-material.md. Interactive-rebase as a standalone guide was considered but skipped β squashing-commits.md already covers the interactive-rebase mechanics in the context where beginners most often hit them. Adding a second guide would duplicate content. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a beginner-friendly guide for signing commits, matching the style of the existing scenario guides.
Signing commits matters because Git's
user.name/user.emailare self-reported β nothing stops someone else from configuring Git with someone else's identity and pushing under that name. GitHub shows a green Verified badge next to commits it can cryptographically verify, and many projects (especially ones with release pipelines or security boundaries) now require signed commits. The repo's existing guides don't cover this.Note on contribution workflow
.github/CONTRIBUTING.mdsays: "If you'd like to suggest a change in the tutorials or the workflow, please raise an issue. We can have a discussion to better understand the problem, get more people involved and make a collective decision."Happy to close this PR and open an issue first if that's the maintainers' preferred flow for new content.
What the guide covers
The guide leads with SSH signing (recommended for beginners) because:
gpg-agentgotchas.GPG is covered as the secondary path for projects/employers that require it, including the classic
GPG_TTYfix for pin-entry failing in a terminal.Also covered:
-Sflag for when you don't want to sign everything.git log --show-signature -1for verification.Test plan
π€ Generated with Claude Code