Use PGP for signing comments.

[da2ce7]

The use of PGP for signing comments is a good and simple way to improve the confidence of the authenticity of the commits.

It is considered good practice as it makes it very hard to impersonate the author of any particular comment.

Github has good integration with this feature: https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification

[MCM-Mike]

When using Visual Studio Code:

Once you have enabled GPG verification for Codespaces, you also must append -S to each commit in order for it to be signed. To do this in Visual Studio Code, ensure the "Git: Enable Commit Signing" option is enabled from the Settings.

But I like the idea in general to use it across our projects, its a bit more work, but as @da2ce7 mention in #50 (comment) is a simple way to improve the confidence of the authenticity of the comments.

[josecelano]

@da2ce7 I suppose you meant "commits" instead of "comments". I do not find any option to sign comments.

@cgbosse and I already enabled it some days ago. @yeraydavidrodriguez is also going to do it.

I was looking for an option to "force" all commits to be signed using GitHub settings, but I have not found anything.

I will also create a PR to add my key (#52)

[yeraydavidrodriguez]

Setting up GPG in Mac OS to sign commits may be sometimes difficult.
There are plenty information there, like those two helpful stack overflow threads:

• https://stackoverflow.com/questions/39494631/gpg-failed-to-sign-the-data-fatal-failed-to-write-commit-object-git-2-10-0
• https://stackoverflow.com/questions/41502146/git-gpg-onto-mac-osx-error-gpg-failed-to-sign-the-data/41506446

In my case, a bug in GPG produced a "Inappropriate ioctl for device" error, and the fix was this command:

export GPG_TTY=$(tty)