From 0386503e9377adc036a069a0b6fa1a9176f63840 Mon Sep 17 00:00:00 2001 From: x10an14 Date: Tue, 13 Jul 2021 18:02:52 +0200 Subject: [PATCH 1/3] Update displaying-verification-statuses-for-all-of-your-commits.md It says cryptographically unverified, when it in fact _is_ cryptographically verified. I'd suggest Github changes this scenario to `partially verified` at the very least (as opposed to "WARNING! WARNING! UNVERIFIED!", but ideally I'd like to be allowed to set whatever author email I want in my git commits, without that impeding on the veracity of my GPG signatures. My use-case is to not spread an email I care about more than I have to. Enough trawlers already - few if any care to parse GPG keys and extract (it seems). 9/10 times (in my personal experience) they just trawl github commit logs with a webscraping service instead. Those who think that they must match (that the git commit/tag author email gives any security at all) have a nasty surprise-in-waiting. --- ...isplaying-verification-statuses-for-all-of-your-commits.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/github/authenticating-to-github/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md b/content/github/authenticating-to-github/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md index 9f561f68ece2..fa543e59405b 100644 --- a/content/github/authenticating-to-github/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md +++ b/content/github/authenticating-to-github/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md @@ -16,7 +16,7 @@ redirect_from: When you work locally on your computer, Git allows you to set the author of your changes and the identity of the committer. This, potentially, makes it difficult for other people to be confident that commits and tags you create were actually created by you. To help solve this problem you can sign your commits and tags. For more information, see "[Signing commits](/github/authenticating-to-github/signing-commits)" and "[Signing tags](/github/authenticating-to-github/signing-tags)." {% data variables.product.prodname_dotcom %} marks signed commits and tags with a verification status. -By default commits and tags are marked "Verified" if they are signed with a GPG or S/MIME key that was successfully verified. If a commit or tag has a signature that can't be verified, {% data variables.product.prodname_dotcom %} marks the commit or tag "Unverified." In all other cases no verification status is displayed. +By default commits and tags are marked "Verified" if they are signed with a GPG or S/MIME key that was successfully verified. If a commit or tag has a signature that can't be verified - or can be cryptographically verified but the GPG key's email doesn't match the commit's author email - then {% data variables.product.prodname_dotcom %} marks the commit or tag "Unverified." In all other cases no verification status is displayed. However, you can give other users increased confidence in the identity attributed to your commits and tags by enabling vigilant mode in your {% data variables.product.prodname_dotcom %} settings. With vigilant mode enabled, all of your commits and tags are marked with one of three verification statuses. @@ -24,7 +24,7 @@ However, you can give other users increased confidence in the identity attribute {% data reusables.identity-and-permissions.vigilant-mode-verification-statuses %} -You should only enable vigilant mode if you sign all of your commits and tags. After enabling this mode, any unsigned commits or tags that you generate locally and push to {% data variables.product.prodname_dotcom %} will be marked "Unverified." +You should only enable vigilant mode if you sign all of your commits and tags, and ensure that you _always_ set git commit author email to an (identical) email listed on your GPG primary key when using Github. After enabling this mode, any unsigned commits or tags that you generate locally and push to {% data variables.product.prodname_dotcom %} will be marked "Unverified." {% data reusables.identity-and-permissions.verification-status-check %} From 285a06c886cf8e3009cb63ecde1c8e2a57dcc20e Mon Sep 17 00:00:00 2001 From: Laura Coursen Date: Fri, 16 Jul 2021 06:57:14 -0500 Subject: [PATCH 2/3] Add :nail_care: --- ...isplaying-verification-statuses-for-all-of-your-commits.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/github/authenticating-to-github/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md b/content/github/authenticating-to-github/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md index fa543e59405b..25223b7b8916 100644 --- a/content/github/authenticating-to-github/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md +++ b/content/github/authenticating-to-github/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md @@ -16,7 +16,7 @@ redirect_from: When you work locally on your computer, Git allows you to set the author of your changes and the identity of the committer. This, potentially, makes it difficult for other people to be confident that commits and tags you create were actually created by you. To help solve this problem you can sign your commits and tags. For more information, see "[Signing commits](/github/authenticating-to-github/signing-commits)" and "[Signing tags](/github/authenticating-to-github/signing-tags)." {% data variables.product.prodname_dotcom %} marks signed commits and tags with a verification status. -By default commits and tags are marked "Verified" if they are signed with a GPG or S/MIME key that was successfully verified. If a commit or tag has a signature that can't be verified - or can be cryptographically verified but the GPG key's email doesn't match the commit's author email - then {% data variables.product.prodname_dotcom %} marks the commit or tag "Unverified." In all other cases no verification status is displayed. +By default commits and tags are marked "Verified" if they are signed with a GPG or S/MIME key that was successfully verified. If a commit or tag has a signature that can't be verified by {% data variables.product.prodname_dotcom %}, we mark the commit or tag "Unverified." In all other cases no verification status is displayed. However, you can give other users increased confidence in the identity attributed to your commits and tags by enabling vigilant mode in your {% data variables.product.prodname_dotcom %} settings. With vigilant mode enabled, all of your commits and tags are marked with one of three verification statuses. @@ -24,7 +24,7 @@ However, you can give other users increased confidence in the identity attribute {% data reusables.identity-and-permissions.vigilant-mode-verification-statuses %} -You should only enable vigilant mode if you sign all of your commits and tags, and ensure that you _always_ set git commit author email to an (identical) email listed on your GPG primary key when using Github. After enabling this mode, any unsigned commits or tags that you generate locally and push to {% data variables.product.prodname_dotcom %} will be marked "Unverified." +You should only enable vigilant mode if you sign all of your commits and tags and use an email address that is verified in {% data variables.product.product_name %} for your committer email address. After enabling this mode, any unsigned commits or tags that you generate locally and push to {% data variables.product.prodname_dotcom %} will be marked "Unverified." {% data reusables.identity-and-permissions.verification-status-check %} From b544c9f3a03f5b9acc920346a8bc8cbeb975e51c Mon Sep 17 00:00:00 2001 From: Laura Coursen Date: Fri, 16 Jul 2021 06:58:28 -0500 Subject: [PATCH 3/3] =?UTF-8?q?Add=20=F0=9F=92=85=20again?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../displaying-verification-statuses-for-all-of-your-commits.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/github/authenticating-to-github/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md b/content/github/authenticating-to-github/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md index 25223b7b8916..e509f58f9ad4 100644 --- a/content/github/authenticating-to-github/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md +++ b/content/github/authenticating-to-github/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits.md @@ -24,7 +24,7 @@ However, you can give other users increased confidence in the identity attribute {% data reusables.identity-and-permissions.vigilant-mode-verification-statuses %} -You should only enable vigilant mode if you sign all of your commits and tags and use an email address that is verified in {% data variables.product.product_name %} for your committer email address. After enabling this mode, any unsigned commits or tags that you generate locally and push to {% data variables.product.prodname_dotcom %} will be marked "Unverified." +You should only enable vigilant mode if you sign all of your commits and tags and use an email address that is verified for your account on {% data variables.product.product_name %} as your committer email address. After enabling this mode, any unsigned commits or tags that you generate locally and push to {% data variables.product.prodname_dotcom %} will be marked "Unverified." {% data reusables.identity-and-permissions.verification-status-check %}