git commit -S 和 -s 有什么区别?
What is the difference between git commit -S and -s?
我最近了解了签名提交,并且推荐使用它们。我们可以使用 git commit -S 在本地签署提交。之后我阅读了 git 手册页,有一个名为 -s 的选项(用作 git commit -s),它说该选项签署了提交。当我查找 -S 时,它说它使用 GPG 密钥对提交进行签名。
我正在 GitHub 中使用 GPG 密钥设置签名提交。这在推送时是否有所不同,或者在推送到远程时是否相同?
-S(--gpg-sign 的缩写)使用 gnupg 对您的提交进行签名,并向其添加 PGP 签名。这是一个加密签名,证明 gpg 密钥的所有者或有权访问它的参与者正在提交/标记
-s(--signoff 的缩写)将“Signed-off-by: Username<Email>”添加到提交消息的末尾。任何人都可以将此字符串放入提交消息中(因此它不能保证作者身份)但它已被用于维护版权。一些项目需要这个 DCO “开发者原产地证书”——本质上是开发者已经证明他们有权贡献代码的证明
-s/--signoff 的实际描述是:
Add Signed-off-by line by the committer at the end of the commit log message. The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see http://developercertificate.org/ for more information).
如前所述,它基本上是在提交消息的末尾添加一行“Signed-off-by:”,如下所示:
$ git log
commit 172ccc467d2171b645bb55d51146af82ac36d356 (HEAD -> master)
Author: gino <my@email.com>
Date: Sun Nov 15 11:56:10 2020 +0900
Added something
Signed-off-by: gino <my@email.com>
您可以将其理解为“我批准了提交并对此负责”。它的目的已经在相关 post 中得到很好的回答:post 提到的 What is the Sign Off feature in Git for?. It is mostly a project-specific based way of assigning responsibility to a commit, which, as the accepted answer,当提交的版权或许可相关时是必需的。
但由于它只是提交消息的一部分,任何人都可以 add/edit 它,实际上您可以通过手动输入或使用提交消息模板自己添加它。您甚至可以将其他人的 name/email 放在那里。在 Github、 上,它的处理方式与任何其他多行提交消息相同:
... 和 Github 将不会根据签核行验证提交或显示任何 UI 指示“此提交已被批准”。这当然违反了作为签核目的的 DCO,并且您可以使用 plugins/bots 来为 PR 强制执行它,例如 probot/dco.
-S/--gpg-sign option, on the other hand, is an actual cryptographic signature, as it uses your GPG key you generated on your machine where you made the commit, and then Github uses your public key that you gave it to verify that the commit indeed came from you (or from a source that has your GPG keys). As the Github docs on signing commits 表示:
Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can trust that the changes come from a trusted source.
If a commit or tag has a signature that cannot be verified, GitHub marks the commit or tag as unverified.
Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified.
使用 -S 签名并由 Github 正确验证的提交将显示“已验证”指示符:
确保按照 GPG commit signature verification 上的步骤进行操作。 Github 将用于:
When verifying a signature, we extract the signature and attempt to parse its key-id. We match the key-id with keys uploaded to GitHub. Until you upload your GPG key to GitHub, we cannot verify your signatures.
至于使用哪一个,这取决于您在 Github 上放置什么以及您“签署提交”的目的是什么。我会说,如果你只是想表明实际上是 你(或你的 machines/bots 之一)推动了该提交,那么使用 GPG 密钥签名更有意义。
我最近了解了签名提交,并且推荐使用它们。我们可以使用 git commit -S 在本地签署提交。之后我阅读了 git 手册页,有一个名为 -s 的选项(用作 git commit -s),它说该选项签署了提交。当我查找 -S 时,它说它使用 GPG 密钥对提交进行签名。
我正在 GitHub 中使用 GPG 密钥设置签名提交。这在推送时是否有所不同,或者在推送到远程时是否相同?
-S(--gpg-sign 的缩写)使用 gnupg 对您的提交进行签名,并向其添加 PGP 签名。这是一个加密签名,证明 gpg 密钥的所有者或有权访问它的参与者正在提交/标记
-s(--signoff 的缩写)将“Signed-off-by: Username<Email>”添加到提交消息的末尾。任何人都可以将此字符串放入提交消息中(因此它不能保证作者身份)但它已被用于维护版权。一些项目需要这个 DCO “开发者原产地证书”——本质上是开发者已经证明他们有权贡献代码的证明
-s/--signoff 的实际描述是:
Add Signed-off-by line by the committer at the end of the commit log message. The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see http://developercertificate.org/ for more information).
如前所述,它基本上是在提交消息的末尾添加一行“Signed-off-by:”,如下所示:
$ git log
commit 172ccc467d2171b645bb55d51146af82ac36d356 (HEAD -> master)
Author: gino <my@email.com>
Date: Sun Nov 15 11:56:10 2020 +0900
Added something
Signed-off-by: gino <my@email.com>
您可以将其理解为“我批准了提交并对此负责”。它的目的已经在相关 post 中得到很好的回答:post 提到的 What is the Sign Off feature in Git for?. It is mostly a project-specific based way of assigning responsibility to a commit, which, as the accepted answer,当提交的版权或许可相关时是必需的。
但由于它只是提交消息的一部分,任何人都可以 add/edit 它,实际上您可以通过手动输入或使用提交消息模板自己添加它。您甚至可以将其他人的 name/email 放在那里。在 Github、 上,它的处理方式与任何其他多行提交消息相同:
... 和 Github 将不会根据签核行验证提交或显示任何 UI 指示“此提交已被批准”。这当然违反了作为签核目的的 DCO,并且您可以使用 plugins/bots 来为 PR 强制执行它,例如 probot/dco.
-S/--gpg-sign option, on the other hand, is an actual cryptographic signature, as it uses your GPG key you generated on your machine where you made the commit, and then Github uses your public key that you gave it to verify that the commit indeed came from you (or from a source that has your GPG keys). As the Github docs on signing commits 表示:
Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can trust that the changes come from a trusted source.
If a commit or tag has a signature that cannot be verified, GitHub marks the commit or tag as unverified.
Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified.
使用 -S 签名并由 Github 正确验证的提交将显示“已验证”指示符:
确保按照 GPG commit signature verification 上的步骤进行操作。 Github 将用于:
When verifying a signature, we extract the signature and attempt to parse its key-id. We match the key-id with keys uploaded to GitHub. Until you upload your GPG key to GitHub, we cannot verify your signatures.
至于使用哪一个,这取决于您在 Github 上放置什么以及您“签署提交”的目的是什么。我会说,如果你只是想表明实际上是 你(或你的 machines/bots 之一)推动了该提交,那么使用 GPG 密钥签名更有意义。