In today’s fast-paced software landscape, efficient release processes are critical. Git, as a decentralized version control system, relies on synchronizing changes across different repositories. However, authentication and authorization are decoupled from commit author information. To ensure authenticity, developers can sign commits and tags using PGP or SSH keys.

Join us in this session as we explore all aspects of signing commits and tags:

- GitHub Validation: Understand how GitHub validates author information for commits and tags.
- Key Management: Learn best practices for creating and managing PGP and SSH keys.
- Security Considerations: Dive into key security measures.
- Local Signing: Discover how to sign commits and tags locally.
- GitHub and Codespaces: Explore signing within GitHub and Codespaces.
- Enforcing Signed Commits: Implement signed commits for protected branches.
- Vigilant Mode: Uncover the benefits of enabling vigilant mode.
- 1Password Integration: Utilize 1Password to store SSH keys and PGP passphrases.

Whether you’re part of large open-source projects or small security-focused teams, signing practices vary based on context and Git workflows. We’ll focus on practical scenarios where signing adds value, drawing from real-world examples. Join Michael as he shares insights on when signing accelerates progress and when it’s essential to tread carefully.