I am not comfortable with sharing my e-mail online, so I have configured git as such:
$ git config user.email
iago-lito@etak
The above is not an email, or a valid email as far as I can tell. It’s just my personal <username>@<hostname>.
As a consequence, none of the commits I push on gitlab.com are automatically considered mine, since I log into gitlab with my actual e-mail address.
From my profile page, I understand that I cannot claim authorship of my commits since I cannot validate iago-lito@etak as my personal e-mail.
From this doc page. I understand that gitlab’s workaround is to provide a private e-mail @users.noreply.gitlab.com… but this would only work for commits I host on gitlab and not on other online forges.
Is there another way I can claim authorship of my commits on gitlab.com if I keep wanting to sign them with my arbitrary, neutral <username>@<hostname> construct?
Why not just create a gmail account that you won’t use for anything, and use that as your secondary email on your Gitlab account? It’s a valid email, you are not giving out your main personal email by doing it this way, and you can easily verify it since it’s a valid email account - something you cannot do with user@hostname.
My experience with Git hosts is that they will match the author’s email address for being a valid email address format. Additional verification through email activation ensures that no-one else can ‘spoof’ the author.
My recommendation is similar to Ian - create an email address, or domain alias, which you feel confident in, and nobody knows about. Domain providers have whois privacy shields, too. Some of my domains and mailboxes are hosted via Namecheap (no endorsement or ads, there are plenty providers). Use that email address in your Git commits. Hide it from public viewing in GitLab.
Git supports .mailmap files in a repository. There is implementation work needed in GitLab though, you can follow #14909
IIUC this feature would require that my email be published within the .mailmap file in my project, which defeats the purpose, does it not? Unless it would be hidden within the gitlab’s repo’s internal config (which I picture as the distant .git/ folder)?
Additional verification through email activation ensures that no-one else can ‘spoof’ the author.
I don’t (yet) agree with this. Nothing prevents me from setting $ git config user.email "someone-else@gov.us" and then commit and push with that on, right? So I can ‘spoof’ whoever I want anyway?
My recommendation is similar to Ian - create an email address, or domain alias
Sigh, I thought about this indeed, but it feels like a workaround. I’m still hoping there would be a better way :\
You can sign your commits with a GPG key. That way, any commits made without the key are unverified. Commits signed with it are verified, which means they would either have to somehow steal your locally generated GPG key or something similar to be able to verify commits.
Even settings user@hostname doesn’t stop that. If you want to stop people impersonating then you need to sign your commits.
Oh, interesting. The OP is not exactly to prevent people from impersonating me, but rather to have gitlab find which commits I authored… but if I sign my commits, then maybe I can configure gitlab to trust they are mine even though they read user@hostname?
To add an email address to an account requires for it to be verified. So it’s not going to be possible for you to add user@hostname in the web interface of Gitlab since this doesn’t exist as a true email address for a domain for you to be able to receive the email and click the link to verify it.
Therefore, you will have to do as suggested, create yourself an email account wherever which you will use in Gitlab so as not to expose your real email in your commits, and then create a GPG key for it to sign the commits.
Yes, but it can work with any email alias. iago-lito@etak does not match an email regular expression unfortunately.
You can do that, but GitLab will link only verified email addresses in the account and attribute the author.
To provide you an example: Before joining GitLab in March 2020, I created a repository and committed changes with my personal email address (gmail.com). After joining GitLab, I migrated the repository to my work account, and changed my commit email address (gitlab.com).
Git is designed to use email addresses. Before we had GitLab and other Git Hosts (I started learning in 2009), developers shared Git patch files through mailing lists. The author field in a Git commit serves as detail with whom to communicate.
There also is a workflow to “sign off” commits (not to be confused with signing commits). This is required for the Developer Certificate of Origin (DCO) and common across open source projects. The author and their email address is logged into the commit field.
# For new commits
git commit --signoff
# To amend the latest commit in HEAD
git commit --amend --signoff
I also remember some tooling to depend on the Git commit author and email address with Puppet, and IaC workflows for automated monitoring and notifications.
TL;DR - a valid email address makes working with Git (and GitLab) easier.
I think the last missing piece to my understanding is the interplay between:
Gitlab verifying my e-mail address to associate the commits signed with a.b@c.d with my gitlab account.
Git/Gitlab verifying the commits (crypto-)signed with my gpg and/or ssh key(s).
Is 1 a requirement for 2 to work? It seems that 2 lights up the green verified chip; does it also associate commits to my gitlab account ?
Since my gitlab account contains information about my gpg/ssh keys, can 2 suffice gitlab to associate (crypto-)signed commits with my gitlab account? Even though I haven’t 1 ?
