H.Ozgan
a.k.a netologist

Signed Git Commits

18 October 2023 · netologist · 4 min, 733 words · #git #gpg #signed-commit

What is signed commits?

Signing your Git commits provides a layer of authenticity and security to your version control history. Here are some reasons why you might want to sign your commits:

1. Verification of Authorship

Signing a commit verifies that you are the actual author of the change. It provides assurance to other contributors and maintainers that the changes truly come from a trusted source.

2. Integrity

Signed commits ensure that the changes weren’t altered in any way after you signed them. It guarantees the integrity of the commit, assuring reviewers that the code hasn’t been tampered with.

3. Trust in Open Source

In open source projects, where contributions come from various unknown contributors, having signed commits can establish trust. Reviewers can be certain that commits are from a specific contributor and haven’t been maliciously altered.

4. Audit Trail

In regulated or enterprise environments, having a clear and verifiable audit trail can be essential. Signed commits can be part of the compliance process to track and verify changes to the codebase.

5. Protection Against Malicious Activity

There have been instances where bad actors have tried to inject malicious code into open-source projects. Signed commits make it more challenging for such actors to impersonate trusted contributors.

6. Documentation

While the commit log tells “what” was changed, the signature on the commit provides a verifiable “who” changed it.

7. Strengthening Release Authenticity

If you’re releasing software, having a trail of signed commits leading up to that release can give users or businesses additional confidence in the authenticity of the software they’re installing or using.

While these are compelling reasons, there are also considerations:

1. Overhead

Setting up GPG and signing commits does introduce an overhead, both in initial setup and in daily use (e.g., entering a passphrase for every commit unless you cache it).

2. Privacy Concerns

Some people might not want to use GPG for commit signing because it can tie a specific identity to the commits.

3. Workflow Impact

For teams unfamiliar with GPG and commit signing, there can be a learning curve and potential disruptions to the usual workflows.

How to Use Signed Commits

Signing commits with GPG in GitHub ensures that the commits you make are verifiably made by you. It’s a method of proving the authenticity and integrity of your commits. Here’s a step-by-step guide to set up and sign your commits using GPG on GitHub:

1. Check for Existing GPG Keys

Before generating a new GPG key, check if you already have any existing keys:

gpg --list-secret-keys --keyid-format LONG

2. Generate a New GPG Key

If you don’t have a GPG key or you want to create a new one:

gpg --full-generate-key

Choose RSA and RSA and set the key size to 4096 bits. Follow the prompts to set a name, email, and passphrase.

3. Get the GPG Key ID

Once the key is generated, you need to get the GPG key ID:

gpg --list-secret-keys --keyid-format LONG

From the output, under the sec line, copy the GPG key ID (the part after the / and before the date).

4. Export the GPG Key

Use the GPG key ID to export your public key:

gpg --armor --export YOUR_GPG_KEY_ID

Copy the GPG key, starting from -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK-----.

5. Add the GPG Key to GitHub

Go to your GitHub settings.

Click on the SSH and GPG keys tab.

Click on “New GPG key” and paste your GPG key.

Click “Add GPG key”.

6. Configure Git to Sign Commits

First, tell Git about your GPG key:

git config --global user.signingkey YOUR_GPG_KEY_ID

To sign all commits by default in any local repository on your computer, run:

git config --global commit.gpgsign true

7. Sign Commits

Now, when you commit changes, use the -S option:

git commit -S -m "Your commit message"

If you’ve set commit.gpgsign to true, then you won’t need the -S option; Git will sign commits automatically.

8. Push the Signed Commit to GitHub

git push

Once the commit is pushed to GitHub, you should see a “Verified” badge next to your commit, indicating it’s signed.

9. Using GPG Passphrase with Git

When you sign a commit, GPG will prompt you for the passphrase you set during key creation. If you want to cache your GPG passphrase for a duration, you can use gpg-agent. Most modern GPG installations come with gpg-agent by default.