Writing about software engineering, architecture, cloud and AWS.

Why you should start signing your git commits today

December 10, 2021

You can sign your Git commits cryptographically by using a GPG key. This will prove the commit came from you. And can act as a reliable audit trail. Also, you will get a cool ‘Verified’ badge next to your commits.

Before telling, you how to set it up I would like to talk about why you should sign your commits.

By signing your commits you can prove that the commit actually came from you.

This is needed because it is pretty easy to add anyone as the author of a commit. This can be done by adding the --author flag to your commit. Like this: --author="Author Name <email@address.com>"

This is not a security vulnerability by itself. But it could be used to hide the real author of malicious code. When a commit is unsigned you have no guarantee that:

  • The author of the commit is not the person who made the commit
  • The code has not been tampered with

Therefore, signing commits could help with compliance. For example like with PCI compliance where it is required to have an audit trail of every change. With signed commits you can use git as a reliable source for your audit trail. Making sure the author of the commit is actually who he claims to be.

While signing your commits doesn’t limit anyone from still adding you as the author of a commit. This will result in a unsigned commit which doesn’t guarantee that the author is the same as the writer of the code.

Last but not least, when you sign your commits you will get a cool ‘Verified’ badge next to your commits. (see image below)

Conclusion

By signing your commits you can prove that you are the author. You can be sure the code has not been tampered with. And signed commits could act as a reliable source for an audit trail.

How to sign your commits:

Here I will show you step by step how to sign your commits with GPG.

Install GPG

Download and install the GPG command line tools for your operating system.

For Mac users, the GPG Suite allows you to store your GPG key passphrase in the Mac OS Keychain.

Generate GPG key

Generate a GPG key gpg --full-gen-key. Make sure you set a passphrase when asked for. If your key gets stolen they still cannot use it without knowing the passphrase.

List GPG key

Get your GPG keys by running: gpg --list-secret-keys --keyid-format long
In the line that starts with ‘sec’ get the part after the slash / it should look like 3AA5C34371567BD2

Add the GPG key to GitHub

To have GitHub verify your commits you should upload your GPG key to GitHub. You can upload the GPG key to GitHub under the profile settings. This should also work for Gitlab, Bitbucket and other git repository managers.

  1. Go to GitHub and navigate to settings.
  2. Click ‘SSH and GPG keys’
  3. Click ‘New GPG key’
  4. Get your GPG key with the following command gpg --armor --export 3AA5C34371567BD2
  5. Paste the output in GitHub
  6. Save

Configure git

Now that you created your GPG key and uploaded it to GitHub you can set up git on your machine to use the key.

Run the following command to add your key to the global git config

git config --global user.signingkey 3AA5C34371567BD2

Sign your commits

Now you can start signing your commits and tags by add the following flags:

  • Add the -S flag when creating a commit: git commit -S
  • Create a tag with git tag -s: git tag -s mytag

It is also possible to automatically sign all your commits by setting to following options in your git config:

git config --global commit.gpgSign true

git config --global tag.gpgSign true

Verify

To verify if your commit is signed navigate to your commit in GitHub and see if you see the ‘Verified’ badge next to it.

Optional: Enforce signed commits on GitHub

It is possible to enforce signed commits in your repo. To read how to enable this see the link here

Sources

GitHub: About commit signature verification