move signing features to tools chapter

schacon · schacon · commit b2911a332144 · 2014-06-04T20:07:31.000-07:00
I feel like they’re too complicated and too often unused to be in
Chapter 2. Plus now we have signed commits.
diff --git a/book/02-git-basics/1-git-basics.asc b/book/02-git-basics/1-git-basics.asc
@@ -1295,7 +1295,9 @@ v1.8.5.5
 ==== Creating Tags
 
 Git uses two main types of tags: lightweight and annotated.
+
 A lightweight tag is very much like a branch that doesn’t change – it’s just a pointer to a specific commit.
+
 Annotated tags, however, are stored as full objects in the Git database.
 They’re checksummed; contain the tagger name, e-mail, and date; have a tagging message; and can be signed and verified with GNU Privacy Guard (GPG).
 It’s generally recommended that you create annotated tags so you can have all this information; but if you want a temporary tag or for some reason don’t want to keep the other information, lightweight tags are available too.
@@ -1337,52 +1339,6 @@ Date:   Mon Mar 17 21:52:11 2008 -0700
 
 That shows the tagger information, the date the commit was tagged, and the annotation message before showing the commit information.
 
-==== Signed Tags
-
-You can also sign your tags with GPG, assuming you have a private key.
-All you have to do is use `-s` instead of `-a`:
-
-[source,shell]
-----
-$ git tag -s v1.5 -m 'my signed 1.5 tag'
-
-You need a passphrase to unlock the secret key for
-user: "Ben Straub <ben@straub.cc>"
-2048-bit RSA key, ID 800430EB, created 2014-05-04
-
-----
-
-If you run `git show` on that tag, you can see your GPG signature attached to it:
-
-[source,shell]
---------
-$ git show v1.5
-tag v1.5
-Tagger: Ben Straub <ben@straub.cc>
-Date:   Sat May 3 20:29:41 2014 -0700
-
-my signed 1.5 tag
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQEcBAABAgAGBQJTZbQlAAoJEF0+sviABDDrZbQH/09PfE51KPVPlanr6q1v4/Ut
-LQxfojUWiLQdg2ESJItkcuweYg+kc3HCyFejeDIBw9dpXt00rY26p05qrpnG+85b
-hM1/PswpPLuBSr+oCIDj5GMC2r2iEKsfv2fJbNW8iWAXVLoWZRF8B0MfqX/YTMbm
-ecorc4iXzQu7tupRihslbNkfvfciMnSDeSvzCpWAHl7h8Wj6hhqePmLm9lAYqnKp
-8S5B/1SSQuEAjRZgI4IexpZoeKGVDptPHxLLS38fozsyi0QyDyzEgJxcJQVMXxVi
-RUysgqjcpT8+iQM1PblGfHR4XAhuOqN5Fx06PSaFZhqvWFezJ28/CLyX5q+oIVk=
-=EFTF
------END PGP SIGNATURE-----
-
-commit ca82a6dff817ec66f44342007202690a93763949
-Author: Scott Chacon <schacon@gee-mail.com>
-Date:   Mon Mar 17 21:52:11 2008 -0700
-
-    changed the verison number
---------
-
-A bit later, you’ll learn how to verify signed tags.
-
 ==== Lightweight Tags
 
 Another way to tag commits is with a lightweight tag.
@@ -1413,38 +1369,6 @@ Date:   Mon Mar 17 21:52:11 2008 -0700
     changed the verison number
 ----
 
-==== Verifying Tags
-
-To verify a signed tag, you use `git tag -v [tag-name]`.
-This command uses GPG to verify the signature.
-You need the signer’s public key in your keyring for this to work properly:
-
-[source,shell]
-----
-$ git tag -v v1.4.2.1
-object 883653babd8ee7ea23e6a5c392bb739348b1eb61
-type commit
-tag v1.4.2.1
-tagger Junio C Hamano <junkio@cox.net> 1158138501 -0700
-
-GIT 1.4.2.1
-
-Minor fixes since 1.4.2, including git-mv and git-http with alternates.
-gpg: Signature made Wed Sep 13 02:08:25 2006 PDT using DSA key ID F3119B9A
-gpg: Good signature from "Junio C Hamano <junkio@cox.net>"
-gpg:                 aka "[jpeg image of size 1513]"
-Primary key fingerprint: 3565 2A26 2040 E066 C9A7  4A7D C0C6 D9A4 F311 9B9A
-----
-
-If you don’t have the signer’s public key, you get something like this instead:
-
-[source,shell]
-----
-gpg: Signature made Wed Sep 13 02:08:25 2006 PDT using DSA key ID F3119B9A
-gpg: Can't check signature: public key not found
-error: could not verify the tag 'v1.4.2.1'
-----
-
 ==== Tagging Later
 
 You can also tag commits after you’ve moved past them.
@@ -1534,12 +1458,13 @@ To git@github.com:schacon/simplegit.git
 
 Now, when someone else clones or pulls from your repository, they will get all your tags as well.
 
+
 === Git Aliases
 
 Before we finish this chapter on basic Git, there's just one little tip that can make your Git experience simpler, easier, and more familiar: aliases.
 We won’t refer to them or assume you’ve used them later in the book, but you should probably know how to use them.
 
-Git doesn’t infer your command if you type it in partially.
+Git doesn’t automatically infer your command if you type it in partially.
 If you don’t want to type the entire text of each of the Git commands, you can easily set up an alias for each command using `git config`.
 Here are a couple of examples you may want to set up:
 
diff --git a/book/07-git-tools/1-git-tools.asc b/book/07-git-tools/1-git-tools.asc
@@ -603,6 +603,87 @@ If you want an easier way to test the stashed changes again, you can run `git st
 
 This is a nice shortcut to recover stashed work easily and work on it in a new branch.
 
+
+=== Signing Your Work
+
+Git is cryptographically secure, but it's not foolproof. If you're taking work from others on the internet and want to verify that commits are actually from a trusted source, Git has a few ways to sign and verify work using GPG.
+
+==== Signed Tags
+
+You can also sign your tags with GPG, assuming you have a private key.
+All you have to do is use `-s` instead of `-a`:
+
+[source,shell]
+----
+$ git tag -s v1.5 -m 'my signed 1.5 tag'
+
+You need a passphrase to unlock the secret key for
+user: "Ben Straub <ben@straub.cc>"
+2048-bit RSA key, ID 800430EB, created 2014-05-04
+
+----
+
+If you run `git show` on that tag, you can see your GPG signature attached to it:
+
+[source,shell]
+--------
+$ git show v1.5
+tag v1.5
+Tagger: Ben Straub <ben@straub.cc>
+Date:   Sat May 3 20:29:41 2014 -0700
+
+my signed 1.5 tag
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQEcBAABAgAGBQJTZbQlAAoJEF0+sviABDDrZbQH/09PfE51KPVPlanr6q1v4/Ut
+LQxfojUWiLQdg2ESJItkcuweYg+kc3HCyFejeDIBw9dpXt00rY26p05qrpnG+85b
+hM1/PswpPLuBSr+oCIDj5GMC2r2iEKsfv2fJbNW8iWAXVLoWZRF8B0MfqX/YTMbm
+ecorc4iXzQu7tupRihslbNkfvfciMnSDeSvzCpWAHl7h8Wj6hhqePmLm9lAYqnKp
+8S5B/1SSQuEAjRZgI4IexpZoeKGVDptPHxLLS38fozsyi0QyDyzEgJxcJQVMXxVi
+RUysgqjcpT8+iQM1PblGfHR4XAhuOqN5Fx06PSaFZhqvWFezJ28/CLyX5q+oIVk=
+=EFTF
+-----END PGP SIGNATURE-----
+
+commit ca82a6dff817ec66f44342007202690a93763949
+Author: Scott Chacon <schacon@gee-mail.com>
+Date:   Mon Mar 17 21:52:11 2008 -0700
+
+    changed the verison number
+--------
+
+==== Verifying Tags
+
+To verify a signed tag, you use `git tag -v [tag-name]`.
+This command uses GPG to verify the signature.
+You need the signer’s public key in your keyring for this to work properly:
+
+[source,shell]
+----
+$ git tag -v v1.4.2.1
+object 883653babd8ee7ea23e6a5c392bb739348b1eb61
+type commit
+tag v1.4.2.1
+tagger Junio C Hamano <junkio@cox.net> 1158138501 -0700
+
+GIT 1.4.2.1
+
+Minor fixes since 1.4.2, including git-mv and git-http with alternates.
+gpg: Signature made Wed Sep 13 02:08:25 2006 PDT using DSA key ID F3119B9A
+gpg: Good signature from "Junio C Hamano <junkio@cox.net>"
+gpg:                 aka "[jpeg image of size 1513]"
+Primary key fingerprint: 3565 2A26 2040 E066 C9A7  4A7D C0C6 D9A4 F311 9B9A
+----
+
+If you don’t have the signer’s public key, you get something like this instead:
+
+[source,shell]
+----
+gpg: Signature made Wed Sep 13 02:08:25 2006 PDT using DSA key ID F3119B9A
+gpg: Can't check signature: public key not found
+error: could not verify the tag 'v1.4.2.1'
+----
+
 === Searching
 
 === Rewriting History
