Findings

How to retroactively sign all commits in a branch

/ Leave a Comment

If you haven’t set up GPG signing, check out my previous post on this here.

Say you created a new branch from main called my-branch. This guide will help you to sign all of the commits that are in my-branch that are not in main.

For starters, do a git fetch origin so that we are up to date with remotes. Be on my-branch. Ensure that you are rebased correctly from the main branch. This is not so important but will keep things clean and make it easy to merge later.

git rebase origin/main

Resolve conflicts, if any. Ensure clean state. Now to retroactively sign commits on my-branch, run:

git rebase --exec 'git commit --amend --no-edit -n -S' -i origin/main

Being on my-branch basically what you are saying here is that:

  1. Start an interactive rebase from the last known commit that is on origin/main, rolling back temporarily.
  2. For every commit, execute (--exec) git commit command, amending each commit without modifying its contents and signing every commit

Hope this helps.

Enabling git-GPG signed commits on MacOS

/ 1 Comment

Install gpg via Homebrew.

brew install gnupg

Here you can generate keys yourself or import an existing key.

gpg --generate-key
// OR
gpg --import path/to/secret.asc

Now we tell git what key we want to use. Run this command to list your keys:

gpg --list-secret-keys --keyid-format=long

You should see some output like below, copy the highlighted section:

sec   rsa2048/9A9A9A9A9A9A9A9A 2015-05-01 [SC]

Then set it as user.signingkey in git config

git config --global user.signingkey 9A9A9A9A9A9A9A9A

Tell git to sign commits and which program to use

git config --global commit.gpgsign true 
git config --global gpg.program gpg

In your bash profile set the following to allow for passphrase entry:

export GPG_TTY=$(tty)

Alternatively you can use the pinentry tool from homebrew.

Thats it! From now on, any new commits will be automatically signed. The program might ask you for your passphrase through your mechanism of choice (terminal/pop up etc).

Who’s using my macbook camera?

/ Leave a Comment

So the other day I was working away on my Macbook Pro and suddenly, out of the blue, the light next to my camera came on. Now, this is a new macbook so I don’t have my little sliding window sticker that blocks my webcam yet. Even if I did have it, I’d still be equally worried. So I started digging. The only apps I had open at the time were:

  • Firefox
  • BlueJeans (video conferencing software)
  • Intellij IDEA
  • Visual Studio Code
  • iTerm

Basically the Software Engineer’s toolkit.

After a little digging on the Internet, I found a few commands that could help me. I have conveniently combined them all into this single command:

lsof | grep -e "AppleCamera" -e "iSight" -e "VDC"

This gave me the following:

➜  ~ lsof | grep -e "AppleCamera" -e "iSight" -e "VDC"
firefox   1956 mdave  txt       REG                1,5      424176 1152921500312438057 /System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC

Hmm so its Firefox? Weird because usually its very good with permissions. Most of my tabs were DuckDuckGo, StackOverflow, Jira, Confluence, Gmail and a few other “trusty” company web pages. This couldn’t be it?

I did some digging around in settings but no luck. Finally, I brought down the hammer and took away the permissions to Camera (and Microphone for safety) from the System Preferences. And viola!

➜  ~ lsof | grep -e "AppleCamera" -e "iSight" -e "VDC"
firefox   1956 mdave  txt       REG                1,5      424176 1152921500312438057 /System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC
➜  ~ lsof | grep -e "AppleCamera" -e "iSight" -e "VDC"
➜  ~

No more naughty webcam access! I guess if I need it again, I’ll just give it permissions explicitly through the System Preferences. Or perhaps I can side-install another firefox browser when I need to grant it permissions to view my webcam – the number of websites that I use that need this permission are very small in number and I can live with using a dedicated web browser for it.