Signed Git Commits
What is signed commits?
Signing your Git commits provides a layer of authenticity and security to your version control history. Here are some reasons why you might want to sign your commits:
1. Verification of Authorship
Signing a commit verifies that you are the actual author of the change. It provides assurance to other contributors and maintainers that the changes truly come from a trusted source.
Signed commits ensure that the changes weren’t altered in any way after you signed them. It guarantees the integrity of the commit, assuring reviewers that the code hasn’t been tampered with.
3. Trust in Open Source
In open source projects, where contributions come from various unknown contributors, having signed commits can establish trust. Reviewers can be certain that commits are from a specific contributor and haven’t been maliciously altered.
4. Audit Trail
In regulated or enterprise environments, having a clear and verifiable audit trail can be essential. Signed commits can be part of the compliance process to track and verify changes to the codebase.
5. Protection Against Malicious Activity
There have been instances where bad actors have tried to inject malicious code into open-source projects. Signed commits make it more challenging for such actors to impersonate trusted contributors.
While the commit log tells “what” was changed, the signature on the commit provides a verifiable “who” changed it.
7. Strengthening Release Authenticity
If you’re releasing software, having a trail of signed commits leading up to that release can give users or businesses additional confidence in the authenticity of the software they’re installing or using.
While these are compelling reasons, there are also considerations:
Setting up GPG and signing commits does introduce an overhead, both in initial setup and in daily use (e.g., entering a passphrase for every commit unless you cache it).
2. Privacy Concerns
Some people might not want to use GPG for commit signing because it can tie a specific identity to the commits.
3. Workflow Impact
For teams unfamiliar with GPG and commit signing, there can be a learning curve and potential disruptions to the usual workflows.
How to Use Signed Commits
Signing commits with GPG in GitHub ensures that the commits you make are verifiably made by you. It’s a method of proving the authenticity and integrity of your commits. Here’s a step-by-step guide to set up and sign your commits using GPG on GitHub:
1. Check for Existing GPG Keys
Before generating a new GPG key, check if you already have any existing keys:
gpg --list-secret-keys --keyid-format LONG
2. Generate a New GPG Key
If you don’t have a GPG key or you want to create a new one:
Choose RSA and RSA and set the key size to 4096 bits. Follow the prompts to set a name, email, and passphrase.
3. Get the GPG Key ID
Once the key is generated, you need to get the GPG key ID:
gpg --list-secret-keys --keyid-format LONG
From the output, under the sec line, copy the GPG key ID (the part after the / and before the date).
4. Export the GPG Key
Use the GPG key ID to export your public key:
gpg --armor --export YOUR_GPG_KEY_ID
Copy the GPG key, starting from
-----BEGIN PGP PUBLIC KEY BLOCK----- to
-----END PGP PUBLIC KEY BLOCK-----.
5. Add the GPG Key to GitHub
Go to your GitHub settings.
Click on the SSH and GPG keys tab.
Click on “New GPG key” and paste your GPG key.
Click “Add GPG key”.
6. Configure Git to Sign Commits
First, tell Git about your GPG key:
git config --global user.signingkey YOUR_GPG_KEY_ID
To sign all commits by default in any local repository on your computer, run:
git config --global commit.gpgsign true
7. Sign Commits
Now, when you commit changes, use the -S option:
git commit -S -m "Your commit message"
If you’ve set commit.gpgsign to true, then you won’t need the -S option; Git will sign commits automatically.
8. Push the Signed Commit to GitHub
Once the commit is pushed to GitHub, you should see a “Verified” badge next to your commit, indicating it’s signed.
9. Using GPG Passphrase with Git
When you sign a commit, GPG will prompt you for the passphrase you set during key creation. If you want to cache your GPG passphrase for a duration, you can use gpg-agent. Most modern GPG installations come with gpg-agent by default.