Why you should start signing your git commits today
You can sign your Git commits cryptographically by using a GPG key. This will prove the commit came from you. And can act as a reliable audit trail. Also, you will get a cool ‘Verified’ badge next to your commits.
Before telling, you how to set it up I would like to talk about why you should sign your commits.
By signing your commits you can prove that the commit actually came from you.
This is needed because it is pretty easy to add anyone as the author of a commit.
This can be done by adding the
--author flag to your commit. Like this:
--author="Author Name <firstname.lastname@example.org>"
This is not a security vulnerability by itself. But it could be used to hide the real author of malicious code. When a commit is unsigned you have no guarantee that:
- The author of the commit is not the person who made the commit
- The code has not been tampered with
Therefore, signing commits could help with compliance. For example like with PCI compliance where it is required to have an audit trail of every change. With signed commits you can use git as a reliable source for your audit trail. Making sure the author of the commit is actually who he claims to be.
While signing your commits doesn’t limit anyone from still adding you as the author of a commit. This will result in a unsigned commit which doesn’t guarantee that the author is the same as the writer of the code.
Last but not least, when you sign your commits you will get a cool ‘Verified’ badge next to your commits. (see image below)
By signing your commits you can prove that you are the author. You can be sure the code has not been tampered with. And signed commits could act as a reliable source for an audit trail.
How to sign your commits:
Here I will show you step by step how to sign your commits with GPG.
Download and install the GPG command line tools for your operating system.
For Mac users, the GPG Suite allows you to store your GPG key passphrase in the Mac OS Keychain.
Generate GPG key
Generate a GPG key
Make sure you set a passphrase when asked for. If your key gets stolen they still cannot use it without knowing the passphrase.
List GPG key
Get your GPG keys by running:
gpg --list-secret-keys --keyid-format long
In the line that starts with ‘sec’ get the part after the slash
/ it should look like
Add the GPG key to GitHub
To have GitHub verify your commits you should upload your GPG key to GitHub. You can upload the GPG key to GitHub under the profile settings. This should also work for Gitlab, Bitbucket and other git repository managers.
- Go to GitHub and navigate to settings.
- Click ‘SSH and GPG keys’
- Click ‘New GPG key’
- Get your GPG key with the following command
gpg --armor --export 3AA5C34371567BD2
- Paste the output in GitHub
Now that you created your GPG key and uploaded it to GitHub you can set up git on your machine to use the key.
Run the following command to add your key to the global git config
git config --global user.signingkey 3AA5C34371567BD2
Sign your commits
Now you can start signing your commits and tags by add the following flags:
- Add the -S flag when creating a commit:
git commit -S
- Create a tag with git tag -s:
git tag -s mytag
It is also possible to automatically sign all your commits by setting to following options in your git config:
git config --global commit.gpgSign true
git config --global tag.gpgSign true
To verify if your commit is signed navigate to your commit in GitHub and see if you see the ‘Verified’ badge next to it.
Optional: Enforce signed commits on GitHub
It is possible to enforce signed commits in your repo. To read how to enable this see the link here