-
1. ŠŠ¾ŃŠµŃŠ¾Šŗ
-
2. ŠŃŠ½Š¾Š²ŠøŃŠµ Š½Š° Git
- 2.1 ŠŠ¾Š±ŠøŠ²Š°ŃŠµ ŃŠŗŠ»Š°Š“ŠøŃŃŠµ Š·Š° Git
- 2.2 Š”Š½ŠøŠ¼Š°ŃŠµ Š½Š° ŠæŃŠ¾Š¼ŠµŠ½Šø Š²Š¾ ŃŠŗŠ»Š°Š“ŠøŃŃŠµŃŠ¾
- 2.3 ŠŃŠøŠŗŠ°Š¶ŃŠ²Š°ŃŠµ Š½Š° ŠøŃŃŠ¾ŃŠøŃŠ°ŃŠ° Š½Š° ŠøŠ·Š²ŃŃŃŠ²Š°ŃŠµ
- 2.4 ŠŠ¾Š½ŠøŃŃŃŠ²Š°ŃŠµ Š½Š° Š½ŠµŃŃŠ°ŃŠ°
- 2.5 Working with Remotes
- 2.6 Tagging
- 2.7 Git ŠŠ»ŠøŃŠ°ŃŠø
- 2.8 ŠŠ°ŠŗŠ»ŃŃŠ¾Šŗ
-
3. ŠŃŠ°Š½ŠµŃŠµ Š²Š¾ Git
-
4. Git Š½Š° Š”ŠµŃŠ²ŠµŃ
- 4.1 ŠŃŠ¾ŃŠ¾ŠŗŠ¾Š»ŠøŃŠµ
- 4.2 ŠŠ¾Š±ŠøŠ²Š°ŃŠµ Š½Š° Git Š½Š° ŃŠµŃŠ²ŠµŃ
- 4.3 ŠŠµŠ½ŠµŃŠøŃŠ°ŃŠµ Š½Š° Š²Š°ŃŠøŠ¾Ń SSH ŃŠ°Š²ŠµŠ½ ŠŗŠ»ŃŃ
- 4.4 ŠŠ¾ŃŃŠ°Š²ŃŠ²Š°ŃŠµ Š½Š° ŃŠµŃŠ²ŠµŃŠ¾Ń
- 4.5 ŠŠøŃ Š“ŠµŠ¼Š¾Š½
- 4.6 Smart HTTP
- 4.7 GitWeb
- 4.8 GitLab
- 4.9 ŠŠæŃŠøŠø Š·Š° Š“Š¾Š¼Š°ŃŠøŠ½Šø Š½Š° ŃŃŠµŃŠø Š»ŠøŃŠ°
- 4.10 ŠŠ°ŠŗŠ»ŃŃŠ¾Šŗ
-
5. ŠŠøŃŃŃŠøŠ±ŃŠøŃŠ°Š½ Git
-
6. GitHub
- 6.1 ŠŠ¾ŃŃŠ°Š²ŃŠ²Š°ŃŠµ ŃŠ¼ŠµŃŠŗŠ° Šø ŠŗŠ¾Š½ŃŠøŠ³ŃŃŠ°ŃŠøŃŠ°
- 6.2 ŠŃŠøŠ“Š¾Š½ŠµŃ ŠŗŠ¾Š½ ŠæŃŠ¾ŠµŠŗŃ
- 6.3 ŠŠ“ŃŠ¶ŃŠ²Š°ŃŠµ Š½Š° ŠæŃŠ¾ŠµŠŗŃ
- 6.4 Š”ŠæŠµŃŠøŃŠ°Š»Š½Šø Š“Š°ŃŠ¾ŃŠµŠŗŠø
- 6.5 Š£ŠæŃŠ°Š²ŃŠ²Š°ŃŠµ ŃŠ¾ Š¾ŃŠ³Š°Š½ŠøŠ·Š°ŃŠøŃŠ°
- 6.6 Š”ŠŗŃŠøŠæŃŠøŃŠ°ŃŠµ Š½Š° GitHub
- 6.7 ŠŠ°ŠŗŠ»ŃŃŠ¾Šŗ
-
7. Git ŠŠ»Š°ŃŠŗŠø
- 7.1 Revision Selection
- 7.2 ŠŠ½ŃŠµŃŠ°ŠŗŃŠøŠ²Š½Š¾ ŃŃŠ°Š¶ŠøŃŠ°ŃŠµ
- 7.3 Stashing and Cleaning
- 7.4 Signing Your Work
- 7.5 Searching
- 7.6 Rewriting History
- 7.7 Reset Demystified
- 7.8 ŠŠ°ŠæŃŠµŠ“Š½Š¾ ŃŠæŠ¾ŃŃŠ²Š°ŃŠµ
- 7.9 Rerere
- 7.10 ŠŠµŠ±Š°Š³ŠøŃŠ°ŃŠµ ŃŠ¾ Git
- 7.11 Submodules
- 7.12 ŠŠ±ŠøŠ²Š°ŃŠµ
- 7.13 ŠŠ°Š¼ŠµŠ½ŃŠ²Š°ŃŠµ
- 7.14 Š”ŠŗŠ»Š°Š“ŠøŃŠ°ŃŠµ Š½Š° ŠøŠ½Š³ŠµŃŠµŠ½ŃŠøŠø
- 7.15 ŠŠ°ŠŗŠ»ŃŃŠ¾Šŗ
-
8. ŠŠµŃŃŠ¾Š½Š°Š»ŠøŠ·Š°ŃŠøŃŠ° Š½Š° Git
- 8.1 Git Configuration
- 8.2 Git ŠŃŃŠøŠ±ŃŃŠø
- 8.3 Git Hooks
- 8.4 An Example Git-Enforced Policy
- 8.5 ŠŠ°ŠŗŠ»ŃŃŠ¾Šŗ
-
9. Git Šø Š“ŃŃŠ³Šø ŃŠøŃŃŠµŠ¼Šø
-
10. ŠŠ½Š°ŃŃŠµŃŠ½Š¾ŃŃŠ° Š½Š° Git
- 10.1 Plumbing and Porcelain
- 10.2 Git Objects
- 10.3 Git References
- 10.4 Packfiles
- 10.5 The Refspec
- 10.6 Transfer Protocols
- 10.7 Maintenance and Data Recovery
- 10.8 Environment Variables
- 10.9 ŠŠ°ŠŗŠ»ŃŃŠ¾Šŗ
-
A1. Appendix A: Git Š²Š¾ Š“ŃŃŠ³Šø Š¾ŠŗŠ¾Š»ŠøŠ½Šø
- A1.1 Graphical Interfaces
- A1.2 Git in Visual Studio
- A1.3 Git in Eclipse
- A1.4 Git in Bash
- A1.5 Git in Zsh
- A1.6 Git in Powershell
- A1.7 ŠŠ°ŠŗŠ»ŃŃŠ¾Šŗ
-
A2. Appendix B: ŠŠ¼ŠµŃŠ½ŃŠ²Š°ŃŠµ Š½Š° Git Š²Š¾ Š²Š°ŃŠøŃŠµ Š°ŠæŠ»ŠøŠŗŠ°ŃŠøŠø
- A2.1 Command-line Git
- A2.2 Libgit2
- A2.3 JGit
- A2.4 go-git
-
A3. Appendix C: Git ŠŗŠ¾Š¼Š°Š½Š“Šø
- A3.1 Setup and Config
- A3.2 Getting and Creating Projects
- A3.3 Basic Snapshotting
- A3.4 Branching and Merging
- A3.5 Sharing and Updating Projects
- A3.6 Inspection and Comparison
- A3.7 Debugging
- A3.8 Patching
- A3.9 Email
- A3.10 External Systems
- A3.11 Administration
- A3.12 Plumbing Commands
7.4 Git ŠŠ»Š°ŃŠŗŠø - Signing Your Work
Signing Your Work
Git is cryptographically secure, but itās not foolproof. If youāre taking work from others on the internet and want to verify that commits are actually from a trusted source, Git has a few ways to sign and verify work using GPG.
GPG Introduction
First of all, if you want to sign anything you need to get GPG configured and your personal key installed.
$ gpg --list-keys
/Users/schacon/.gnupg/pubring.gpg
---------------------------------
pub 2048R/0A46826A 2014-06-04
uid Scott Chacon (Git signing key) <schacon@gmail.com>
sub 2048R/874529A9 2014-06-04If you donāt have a key installed, you can generate one with gpg --gen-key.
gpg --gen-keyOnce you have a private key to sign with, you can configure Git to use it for signing things by setting the user.signingkey config setting.
git config --global user.signingkey 0A46826ANow Git will use your key by default to sign tags and commits if you want.
Signing Tags
If you have a GPG private key setup, you can now use it to sign new tags.
All you have to do is use -s instead of -a:
$ git tag -s v1.5 -m 'my signed 1.5 tag'
You need a passphrase to unlock the secret key for
user: "Ben Straub <ben@straub.cc>"
2048-bit RSA key, ID 800430EB, created 2014-05-04If you run git show on that tag, you can see your GPG signature attached to it:
$ git show v1.5
tag v1.5
Tagger: Ben Straub <ben@straub.cc>
Date: Sat May 3 20:29:41 2014 -0700
my signed 1.5 tag
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJTZbQlAAoJEF0+sviABDDrZbQH/09PfE51KPVPlanr6q1v4/Ut
LQxfojUWiLQdg2ESJItkcuweYg+kc3HCyFejeDIBw9dpXt00rY26p05qrpnG+85b
hM1/PswpPLuBSr+oCIDj5GMC2r2iEKsfv2fJbNW8iWAXVLoWZRF8B0MfqX/YTMbm
ecorc4iXzQu7tupRihslbNkfvfciMnSDeSvzCpWAHl7h8Wj6hhqePmLm9lAYqnKp
8S5B/1SSQuEAjRZgI4IexpZoeKGVDptPHxLLS38fozsyi0QyDyzEgJxcJQVMXxVi
RUysgqjcpT8+iQM1PblGfHR4XAhuOqN5Fx06PSaFZhqvWFezJ28/CLyX5q+oIVk=
=EFTF
-----END PGP SIGNATURE-----
commit ca82a6dff817ec66f44342007202690a93763949
Author: Scott Chacon <schacon@gee-mail.com>
Date: Mon Mar 17 21:52:11 2008 -0700
changed the version numberVerifying Tags
To verify a signed tag, you use git tag -v <tag-name>.
This command uses GPG to verify the signature.
You need the signerās public key in your keyring for this to work properly:
$ git tag -v v1.4.2.1
object 883653babd8ee7ea23e6a5c392bb739348b1eb61
type commit
tag v1.4.2.1
tagger Junio C Hamano <junkio@cox.net> 1158138501 -0700
GIT 1.4.2.1
Minor fixes since 1.4.2, including git-mv and git-http with alternates.
gpg: Signature made Wed Sep 13 02:08:25 2006 PDT using DSA key ID F3119B9A
gpg: Good signature from "Junio C Hamano <junkio@cox.net>"
gpg: aka "[jpeg image of size 1513]"
Primary key fingerprint: 3565 2A26 2040 E066 C9A7 4A7D C0C6 D9A4 F311 9B9AIf you donāt have the signerās public key, you get something like this instead:
gpg: Signature made Wed Sep 13 02:08:25 2006 PDT using DSA key ID F3119B9A
gpg: Can't check signature: public key not found
error: could not verify the tag 'v1.4.2.1'Signing Commits
In more recent versions of Git (v1.7.9 and above), you can now also sign individual commits.
If youāre interested in signing commits directly instead of just the tags, all you need to do is add a -S to your git commit command.
$ git commit -a -S -m 'signed commit'
You need a passphrase to unlock the secret key for
user: "Scott Chacon (Git signing key) <schacon@gmail.com>"
2048-bit RSA key, ID 0A46826A, created 2014-06-04
[master 5c3386c] signed commit
4 files changed, 4 insertions(+), 24 deletions(-)
rewrite Rakefile (100%)
create mode 100644 lib/git.rbTo see and verify these signatures, there is also a --show-signature option to git log.
$ git log --show-signature -1
commit 5c3386cf54bba0a33a32da706aa52bc0155503c2
gpg: Signature made Wed Jun 4 19:49:17 2014 PDT using RSA key ID 0A46826A
gpg: Good signature from "Scott Chacon (Git signing key) <schacon@gmail.com>"
Author: Scott Chacon <schacon@gmail.com>
Date: Wed Jun 4 19:49:17 2014 -0700
signed commitAdditionally, you can configure git log to check any signatures it finds and list them in its output with the %G? format.
$ git log --pretty="format:%h %G? %aN %s"
5c3386c G Scott Chacon signed commit
ca82a6d N Scott Chacon changed the version number
085bb3b N Scott Chacon removed unnecessary test code
a11bef0 N Scott Chacon first commitHere we can see that only the latest commit is signed and valid and the previous commits are not.
In Git 1.8.3 and later, git merge and git pull can be told to inspect and reject when merging a commit that does not carry a trusted GPG signature with the --verify-signatures command.
If you use this option when merging a branch and it contains commits that are not signed and valid, the merge will not work.
$ git merge --verify-signatures non-verify
fatal: Commit ab06180 does not have a GPG signature.If the merge contains only valid signed commits, the merge command will show you all the signatures it has checked and then move forward with the merge.
$ git merge --verify-signatures signed-branch
Commit 13ad65e has a good GPG signature by Scott Chacon (Git signing key) <schacon@gmail.com>
Updating 5c3386c..13ad65e
Fast-forward
README | 2 ++
1 file changed, 2 insertions(+)You can also use the -S option with the git merge command to sign the resulting merge commit itself.
The following example both verifies that every commit in the branch to be merged is signed and furthermore signs the resulting merge commit.
$ git merge --verify-signatures -S signed-branch
Commit 13ad65e has a good GPG signature by Scott Chacon (Git signing key) <schacon@gmail.com>
You need a passphrase to unlock the secret key for
user: "Scott Chacon (Git signing key) <schacon@gmail.com>"
2048-bit RSA key, ID 0A46826A, created 2014-06-04
Merge made by the 'recursive' strategy.
README | 2 ++
1 file changed, 2 insertions(+)Everyone Must Sign
Signing tags and commits is great, but if you decide to use this in your normal workflow, youāll have to make sure that everyone on your team understands how to do so. If you donāt, youāll end up spending a lot of time helping people figure out how to rewrite their commits with signed versions. Make sure you understand GPG and the benefits of signing things before adopting this as part of your standard workflow.
