如何为多个开发人员签署git提交部署OpenPGP密钥?

时间:2016-04-15 14:43:16

标签: git github gnupg openpgp

有没有办法设置git,以便多个用户可以使用相同的部署密钥到存储库,但仍然在其用户名下标记了他们的提交?我之所以要问,是因为我们公司需要能够准确跟踪谁对我们的存储库进行了更改,但最好让他们都能够使用相同的部署密钥将这些更改发送到远程GitHub。这可能吗?

到目前为止,我的理解是它可能,因为他们使用1个部署密钥来验证他们推送的更改,但每个用户都有一个单独的签名密钥来识别这些特定用户所做的更改。这是对的吗?

1 个答案:

答案 0 :(得分:1)

You could create individual signing subkeys for each developer, and use those to track down who signed a commit. To do so, run gpg --edit-key [key-id] and run addkey for each user, selecting the "signing" capability only (you will have issues with more than one encryption subkey). Export those subkeys one by one through gpg --export-secret-subkeys (and remember to postfix with !, otherwise GnuPG will resolve the subkey to a primary key), for example gpg --export-secret-subkey [subkey-id]!. The developers will have to gpg --import their individual signing subkeys. All signatures issued by all of those subkeys will be linked to and displayed as issued by the primary key, but can be tracked down to the subkey used.

But be aware you cannot link OpenPGP user IDs and subkeys with tools provided by the OpenPGP standard or GnuPG. If you only need to be able to rarely connect a signature to a given developer, you can of course look up manually (by keeping book which developer has access to which private subkey); for example if you have to track down malicious code or similar incidents.

The OpenPGP way to do this would be to have a company key and individual developer (primary) keys, which are certified by the company key. I don't think that GitHub is able to follow certification paths, though; if the "signature checked" mark on GitHub is important, you'll also have to register each of the developer's keys individually.