New article: git commit partially verified

[josecelano]

I've changed it back to draft because I want to make some minor changes/notes.

• The "partially verified" status appears when you use the console to merge with your committer info.
• If you, for example, merge the PR using the GitHub UI, the commit appears "verified". The committer is the GitHub bot and the author is the logged-in user. Sample commit.

I have to make more explicit the differences between using the GitHub UI and the console. And for "merge" and "rebase and merge" cases.

[josecelano]

I've changed it back to draft because I want to make some minor changes/notes.

• The "partially verified" status appears when you use the console to merge with your committer info.
• If you, for example, merge the PR using the GitHub UI, the commit appears "verified". The committer is the GitHub bot and the author is the logged-in user. Sample commit.

I have to make more explicit the differences between using the GitHub UI and the console. And for "merge" and "rebase and merge" cases.

I'm using this repo for the experiments.

[da2ce7]

@josecelano Great investigation!

You seem to be mixing up Committer, Author, and the Commit Signatures

Git doesn't have a committer, or author signature, it simply has a Commit Signature. - GitHub has the concept of a committer, author, and commit signature relationship.

Either the commit signature's matches key uploaded to the github-profile of the committer + author, only committer, or none.

[josecelano]

@josecelano Great investigation!

You seem to be mixing up Committer, Author, and the Commit Signatures

Git doesn't have a committer, or author signature, it simply has a Commit Signature. - GitHub has the concept of a committer, author, and commit signature relationship.

Either the commit signature's matches key uploaded to the github-profile of the committer + author, only committer, or none.

Hey, @da2ce7 thank you for clarifying it. I'm still trying to understand the differences between Git and Github and that's a really good point. I will polish the article as I get a better understanding. I tend to assign the signature to the committer info because in the Git global configuration the signing key is in the same section as the user info. In my case:

$ git config -l | grep user
user.name=Jose Celano
user.email=josecelano@gmail.com
user.signingkey=58508C7950C7B7A2

I supposed the "user" attributes are the "committer attributes". Maybe that option should be in the "commit" section next to the "gpgsign" option.

On the Git official documentation you can read:

-S[<keyid>]
--gpg-sign[=<keyid>]
--no-gpg-sign
GPG-sign commits. The keyid argument is optional and defaults to the committer identity; if specified, it must be stuck to the option without a space. --no-gpg-sign is useful to countermand both commit.gpgSign configuration variable, and earlier --gpg-sign.

From: https://git-scm.com/docs/git-commit#Documentation/git-commit.txt---gpg-signltkeyidgt

I understand you can sign the commit with any other GPG key not related to the committer, even though I can't imagine a use case now for it. Well, maybe you could give the commit object to the author so the author can sign it and then they can give the detached signature back to the committer so they can include it in the commit header. Maybe GitHub should include a "sign request" :-).

In fact, in the more specific documentation about commit signature, they do not use the same identity for the committer and the signer.

I have to correct that in the article.

[josecelano]

hi @da2ce7 in this PR in the git-queue repo I merged an @ivanramosnet commit with the bot account (git identity and GPG key).

We do not have the partially verified message from GitHub and this is the commit info:

$ git show --pretty=fuller --show-signature aa9089cdb0646bc1efabb2c0c0c81ee11038827c
commit aa9089cdb0646bc1efabb2c0c0c81ee11038827c
gpg: Signature made mar 10 may 2022 19:08:17 WEST
gpg:                using RSA key 76BF41FD8C0589E1D5288B29E7279F2518CA55C6
gpg: Good signature from "Nautilus Cyberneering [bot] (Online Key) <bot@nautilus-cyberneering.de>" [ultimate]
Author:     Iván Ramos Jiménez <info@ivan.ramos.name>
AuthorDate: Tue May 10 18:00:59 2022 +0100
Commit:     Nautilus Cyberneering [bot] [josecelano] <bot@nautilus-cyberneering.de>
CommitDate: Tue May 10 19:08:13 2022 +0100

    refactor: remove unused InvalidShortHashError error

Another partially verified example is the previous commit.

$ git show --pretty=fuller --show-signature d47bd36bdad81487862ae73f3464a89c1a4fe9bd
commit d47bd36bdad81487862ae73f3464a89c1a4fe9bd
gpg: Signature made mar 26 abr 2022 10:32:32 WEST
gpg:                using RSA key 76BF41FD8C0589E1D5288B29E7279F2518CA55C6
gpg: Good signature from "Nautilus Cyberneering [bot] (Online Key) <bot@nautilus-cyberneering.de>" [ultimate]
Author:     Jose Celano <josecelano@gmail.com>
AuthorDate: Tue Apr 26 10:17:45 2022 +0100
Commit:     Nautilus Cyberneering [bot] [josecelano] <bot@nautilus-cyberneering.de>
CommitDate: Tue Apr 26 10:32:30 2022 +0100

    fix: [#173] update node dependencies

I do not see any difference. I do not know why one is verified and the other one is partially verified. I have to find it out. Anyway, I have to finish running all cases in the test repo.

[josecelano]

This is the way I'm merging PR into main branch:

Update main:

git checkout main
git pull

Checkout branch in the fork:

git checkout -b ivanramosnet-issue-196-remove-deprecated-comment main
git pull https://github.com/ivanramosnet/git-queue.git issue-196-remove-deprecated-comment

Merge branch in the fork with a FF merge:

git checkout main
gi merge --ff-only ivanramosnet-issue-196-remove-deprecated-comment
git show --pretty=fuller --show-signature HEAD
git push origin main

[josecelano]

hi @da2ce7 in this PR in the git-queue repo I merged an @ivanramosnet commit with the bot account (git identity and GPG key).

We do not have the partially verified message from GitHub and this is the commit info:

$ git show --pretty=fuller --show-signature aa9089cdb0646bc1efabb2c0c0c81ee11038827c
commit aa9089cdb0646bc1efabb2c0c0c81ee11038827c
gpg: Signature made mar 10 may 2022 19:08:17 WEST
gpg:                using RSA key 76BF41FD8C0589E1D5288B29E7279F2518CA55C6
gpg: Good signature from "Nautilus Cyberneering [bot] (Online Key) <bot@nautilus-cyberneering.de>" [ultimate]
Author:     Iván Ramos Jiménez <info@ivan.ramos.name>
AuthorDate: Tue May 10 18:00:59 2022 +0100
Commit:     Nautilus Cyberneering [bot] [josecelano] <bot@nautilus-cyberneering.de>
CommitDate: Tue May 10 19:08:13 2022 +0100

    refactor: remove unused InvalidShortHashError error

Another partially verified example is the previous commit.

$ git show --pretty=fuller --show-signature d47bd36bdad81487862ae73f3464a89c1a4fe9bd
commit d47bd36bdad81487862ae73f3464a89c1a4fe9bd
gpg: Signature made mar 26 abr 2022 10:32:32 WEST
gpg:                using RSA key 76BF41FD8C0589E1D5288B29E7279F2518CA55C6
gpg: Good signature from "Nautilus Cyberneering [bot] (Online Key) <bot@nautilus-cyberneering.de>" [ultimate]
Author:     Jose Celano <josecelano@gmail.com>
AuthorDate: Tue Apr 26 10:17:45 2022 +0100
Commit:     Nautilus Cyberneering [bot] [josecelano] <bot@nautilus-cyberneering.de>
CommitDate: Tue Apr 26 10:32:30 2022 +0100

    fix: [#173] update node dependencies

I do not see any difference. I do not know why one is verified and the other one is partially verified. I have to find it out. Anyway, I have to finish running all cases in the test repo.

I suppose the commit is verified because @ivanramosnet has not enabled the "vigilant mode"

I forgot you have no enable it in your profile.

[josecelano]

@josecelano Great investigation!

You seem to be mixing up Committer, Author, and the Commit Signatures

Git doesn't have a committer, or author signature, it simply has a Commit Signature. - GitHub has the concept of a committer, author, and commit signature relationship.

Either the commit signature's matches key uploaded to the github-profile of the committer + author, only committer, or none.

hi @da2ce7 I've reviewed the article and rewritten some parts to include your clarification.

[da2ce7]

@josecelano Good Clarification. 👍

[josecelano]

hi @cgbosse I applied your fixes/suggestions.