
Setting up Git identities - micahhenning
https://www.micah.soy/posts/setting-up-git-identities/
======
sirn
You can also do a per-directory _global_ git configuration, e.g.

in .gitconfig, you say:

    
    
        [user]
            name = Me Myself
            email = personal@example.com
            signingkey = D34DB44F
    
        [includeIf "gitdir:~/src/github.com/work_org/"]
            path = ~/.gitconfig_work
    

Then in ~/.gitconfig_work:

    
    
        [user]
            name = Me Myself
            email = work@example.com
            signingkey = D34DC0D4
        
        [core]
            sshCommand = ssh -i ~/.ssh/work_ed25519
    

I like this way better, because I don't need to remember to specify per-
project config, as long I put them in the right directory :-)

~~~
WhyNotHugo
Why do you need to use different name/key/email between work and personal
project?

~~~
Terr_
Well, the e-mail part is pretty straightforward, since many people will have a
personal e-mail and a separate e-mail managed by their workplace IT.

If some current (or future) coworker has a question about the code, I don't
want them to necessarily e-mail me on my home account. I might not be checking
it during work hours, or I might not even be with the company anymore.

Similarly, if someone actually wants to contact my e-mail for a hobby-project,
I don't want them to send it to my work-account, which over time I might no
longer have access to anyway.

~~~
lloeki
This also applies to e.g CI systems, that are able to send build success/fails
emails to the emails in the commits instead of the default GitHub/GitLab
email.

~~~
WhyNotHugo
Actually, both GitLab and GitHub allow configuring different email addresses
per team.

The notifications don't go to the email in the git commit.

------
sbrass
Thanks for the great post! However, I discourage the usage of RSA with 4096
bit as it does not offer any substantial security over RSA with 2048 bit. The
mean idea behind the "No-4096-bit" is nicely explained by GnuPG people
themselves, [https://www.gnupg.org/faq/gnupg-
faq.html#no_default_of_rsa40...](https://www.gnupg.org/faq/gnupg-
faq.html#no_default_of_rsa4096).

Therefore, wouldn't it be more efficient to use elliptic curve cryptography,
i.e. ED25519, if you want that extra bit of security? It's included in GnuPG
since version 2.1.0 released in November 2014 - at least in an experimental
state.

~~~
NilsIRL
As suggested by the [release notes]([https://gnupg.org/faq/whats-new-
in-2.1.html#ecc](https://gnupg.org/faq/whats-new-in-2.1.html#ecc)), not many
PGP implementations support ECC.

~~~
arianvanp
Also GitHub doesn't support it. The website just crashes with "An unknown
error has occured" when you try to upload an ECC key for gpg

~~~
patrickmcnamara
GitHub definitely supports it. I've been using an Ed25519 key for about a year
now.

~~~
arianvanp
Are you sure you're talking about GPG and not SSH?

I just tried again and it did not work

------
progval
My alternative is to use multiple user accounts on my computer to work on
different projects. This solves multiple issues at once:

* Git identities (I just need to clone from the right user)

* access restriction (building one compromised project won't compromise everything else)

* no need to manage virtualenvs (or the equivalent for non-python environments), just install everything in ~/.local/

~~~
dewey
Personally this wouldn't really work for me.

I always switch between projects to get some files (Like a CI config I already
wrote for another project) or look how I have done something in another code
base. Also all my editor configs, bookmarks, browser logins for Github are all
there. If I'd have to switch between users for each project that sounds really
cumbersome.

~~~
cvwright
I do what the GP describes as well. It’s not that bad.

When you want to enable some limited sharing, it helps to create a new group
for all your user accounts.

For files and directories that you want to share, just set the group to your
new user group, and use the OS group permissions to manage read/write/execute.

------
pianoben
Nice article! The only thing I'd add is that you can extend this to multiple
GitHub identities, too, via SSH configs: [https://www.bendb.com/blog/ssh-with-
multiple-github-accounts...](https://www.bendb.com/blog/ssh-with-multiple-
github-accounts/)

I've been using variations on this technique for a few years now. It's kind of
a pain to remember which URL to use to clone a repo, but is great for keeping
that veneer of separation between work and personal projects.

~~~
epistasis
I've been using the same account for both work and personal repos, without
much issue due to the existence of github organizations.

What sorts of separation are beneficial for you? I'm wondering if I should
switch, but I don't fully understand.

~~~
pianoben
Depending on the employer and the side-project, using the same account for
both could _in theory_ bolster a (ridiculous, absurd) ownership claim over
your work, for example. Stranger things have happened.

More pragmatically, I've been burned in the past by using personal accounts
(not GitHub specifically) for work things. For example, I used a personal
commuter card for a former job's benefits program. When I left, they
deactivated my card. Awkward! Not the same kind of risk with GH, to be sure,
but after that I do prefer to keep my digital selves as compartmentalized as
possible.

------
Brajeshwar
Here is something I did. Ignore the other details in the article, and focus on
the "SSH Split Personality Disorder" part. This article was written for a
200-ish member team of a Startup and so most of won't be relevant to anyone
outside the Company.

[https://story.mobisy.com/bulletin/2019/03/08/eagle-eye-
ssh-s...](https://story.mobisy.com/bulletin/2019/03/08/eagle-eye-ssh-split-
wiki/)

I split the Git Identities based on which directory I'm working on.

------
jgeerts
What I use to switch git identities is direnv
([https://direnv.net/](https://direnv.net/)) which automatically loads
specific config based on the dir that you are in. You can use it to switch AWS
profiles, proxy settings, npm settings, maven settings, git configuration and
so on.

------
nickez
Why are they generating new GPG keypairs for every identity? This is an honest
question. I've been curious if there are any benefits to having multiple
keypairs over just one keypair and multiple uids.

Also IMO the proper way to use GPG is to generate the keys on an offline
machine and then move the private key to a physical token.

------
aesthetics1
To get around this problem I just use a simple command-line utility that I
wrote called gitswitch that I call whenever I jump to a new project. My name
never changes but my email does, so that's all the utility changes. I suppose
it would be neat to build in profiles, but I jump between 2-3 PCs regularly
and would probably forget to update my profiles.

[https://github.com/jboyer87/gitswitch](https://github.com/jboyer87/gitswitch)

Example:

    
    
      gitswitch jboyer87@my-work-email.com
    
      gitswitch jboyer87@my-personal-email.com

------
ithkuil
I found [https://github.com/prydonius/karn](https://github.com/prydonius/karn)
to be helpful (although I wish there was a more native solution)

~~~
captn3m0
Can +1 this. I have it set to run periodically, and it sets up the identities
for my "work" projects and personal projects.

------
OJFord
It's a good idea, but could do with explaining that it's not a concept built
in to git.

Until I got to 'define an alias ...' I thought it was about a user-switching
feature of git that I was unaware of.

~~~
micahhenning
It's in the second sentence of the post =P

"This is a procedure for leveraging git aliases to set an identity at the
project level..."

------
JetSpiegel
There's a project to do this properly, but integrating this on git itself
would be great. it's just a shell script really:

[https://github.com/madx/git-identity](https://github.com/madx/git-identity)

It's already on AUR:

[https://aur.archlinux.org/packages/git-identity-
git/](https://aur.archlinux.org/packages/git-identity-git/)

~~~
JetSpiegel
To clarify, this has a better API and integrates cleanly with git itself.

$ git identity -h usage: git identity [-d | --define] <identity> <name>
<email> [<ssh-file>] [<gpgkeyid>] or: git identity [-p | --print] [<identity>]
or: git identity [-s | --get-settings] or: git identity [-r | --remove]
<identity> or: git identity [-l | --list] or: git identity [-R | --list-raw]
or: git identity [--define-gpg] <gpgkeyid> or: git identity [--define-ssh]
<ssh-file> [<ssh-verbosity>] or: git identity [-u | --update] or: git identity
[-c | --get-shell-command] [<identity>] [<command>] or: git identity
<identity>

So you can define identities such as `work`, `personal`, and then after
cloning/init, run `git identity personal` to setup GPG or SSH keys, name and
email.

------
eliaspro
All this wouldn't be necessary if git supported traversing through parent
directories for a configuration lookup to have "per directory structure"
configurations. Any idea, why this relatively simple and inexpensive approach
isn't implemented? Simply because no one bothered to do it so far?

~~~
saagarjha
> All this wouldn't be necessary if git supported traversing through parent
> directories for a configuration lookup to have "per directory structure"
> configurations.

Clang-format has this “delightful” feature, which isn’t actually all that
horrible except I cannot find a way to pass it a configuration file via the
command line. If I’m editing files in /tmp (or using an editor that relies on
this directory) I have to do a nasty hack of copying ~/.clang-format to the
current directory to make it work:
[https://github.com/saagarjha/dotfiles/blob/master/_nano-
clan...](https://github.com/saagarjha/dotfiles/blob/master/_nano-clang-
format). Basically, this is a long-winded way of saying that this kind of
setting can often work but it’s really not great in certain situations.

------
Ayesh
But why?

All SSH/GPG private keys will be in the same storage anyway, and it doesn't
provide any security advantage in case a key is compromised. They are already
computationally impossible to brute Force too.

Isn't the point of GPG keys is to have an established trust? How does using
multiple keys help with it?

~~~
Jestar342
Privacy. I don't want my professional identity muddled with my personal
identity.

~~~
SAI_Peregrinus
My work laptop is owned by my company. All company work goes on there. (And
since it's a company-owned resource anything made using it is something they
could claim rights to.)

My personal computer is owned by me. Nothing company owned touches it.

This makes domain separation easier.

------
sleepychu
[https://github.com/bobbo/git-profile](https://github.com/bobbo/git-profile)
is a utility my friend wrote to do the same thing.

------
lawry
Would someone happen to know, what the icon looking like a [ is in front of
every command prompt. And potentially how to remove it from appearing?

------
kanox
I just have multiple .gitconfig files and symlink them based on `hostname`.
It's easy and there is no per-repo setup.

------
naetius
Not sure why GPG got in the picture. As other connectors have pointed out,
changing Git identities is a trivial operation that can be done in so many
different ways.

------
abhishekjha
What do I do if my key has expired?

~~~
micahhenning
Generate a new key and update the global git config with the new public key
hash. Then add the new public key to Github/Gitlab to support verification of
signed commits with new key.

~~~
abhishekjha
But that would invalidate the old signed commits, wouldn't it?

~~~
chipsa
Pretty sure you can keep your old keys in there. You just don't use the old
key for signing.

