Why Sign Your Commits?
Before learning how to sign commits, we will learn why signing your commits is important.
Commit signing offers several benefits for both individual developers and collaborative projects:
Code Integrity : Signing your commits verifies that they were indeed authored by you and have not been tampered with since. This helps maintain the integrity of the codebase and ensures that only trusted changes are accepted.
Attribution : Signed commits provide clear attribution, allowing project maintainers and collaborators to identify the author of each change accurately.
Trust and Verification : By signing your commits with a cryptographic key, you establish trust in your contributions. Other developers can verify the authenticity of your commits using your public key, thereby increasing confidence in the codebase.
Compliance and Audit Trails : In certain industries or projects with strict regulatory requirements, commit signing helps maintain compliance and provides an audit trail for all changes made to the codebase.
How to Sign Your Commits
Signing your commits involves a few simple steps. Below, we outline the process using Git and GPG (GNU Privacy Guard), a widely-used open-source encryption software:
Step 1: Install GPG
If you haven't already, install GPG on your system. You can download and install GPG from the official website for Windows and MacOS or use your package manager for Linux distributions.
I am using Ubuntu. GPG is already installed on that. Check it by using the gpg --help command.
Step 2: Generate a GPG Key Pair
Generate a new GPG key pair using the gpg --full-generate-key command. Follow the prompts to enter your type of key, key bit size, expiration time, name, email address, and passphrase. This passphrase will be used to protect your private key, so choose a strong and memorable one.
π‘
Recommendation: the key size should be 4096 bits as its the most secure.
π‘
Recommendation: select key type 1 that is RSA and RSA which will be helpful in encrypting the commits and alot of other things and not just signing the commits
Step 3: List Your GPG Keys
List the GPG keys on your system using gpg --list-secret-keys --keyid-format LONG. This command will display a list of GPG keys along with their associated IDs.
Step 4: Configure Git to Use Your GPG Key
Configure Git to use your GPG key for signing commits by running the following commands:
git config --global user.signingkey <GPG_KEY_ID>git config --global commit.gpgsign true
Replace <GPG_KEY_ID> with the ID of your GPG key, which you obtained from the previous step.
Step 5: Make a Signed Commit
Now, whenever you make a commit, add the -S flag to sign it with your GPG key:
git commit -S -m "Your commit message"
Your commit is now signed with your GPG key, and the signature is embedded in the commit metadata.
Step 6: Share Your Public Key
To allow others to verify your signed commits, share your GPG public key with them. You can export your public key using:
gpg --armor --export <YOUR_EMAIL>
Replace <YOUR_EMAIL> with the email address associated with your GPG key. Share the exported public key through key servers, email, or other secure channels.
Step 7: Add your GPG key to your Github account
To enable GitHub to recognize your signed commits and display a "Verified" badge next to them, you need to add your GPG key to your GitHub account.
Copy Your GPG Key : Copy the output including -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK----- from the previous step
Go to your GitHub settings > SSH and GPG keys > New GPG key
Paste Your GPG Key : Paste your GPG public key into the Key field.
Click Add GPG key to save it to your GitHub account.
Now Your GPG key is added to you GitHub account.
Once you've added your GPG key to your GitHub account, GitHub will recognize your signed commits and display a "Verified" badge next to them. This provides additional validation of your commits' authenticity to other contributors and users of the repository.
Conclusion
Signing your commits is a simple yet effective way to enhance the security and trustworthiness of your contributions to a Git repository. By following the steps outlined in this guide, you can start signing your commits today and contribute to a more secure and transparent development process. Whether you're working on open-source projects or proprietary software, commit signing helps ensure the integrity and authenticity of your code changes, fostering a culture of trust and collaboration within the developer community.
Top comments (20)
Signing commit with ssh key is more easy to setup and should be considered as the default method.
dev.to/igmrrf/adding-ssh-keys-to-y...Git: The complete guide to sign your commits with an ssh key
Christophe Colombier γ» Apr 7
GPG world comes with a lot of issues and background
And where in this article are the commits signed?
@syeo66 @imransaifi
I took the time this weekend to write an article about ssh signing in git
Git: The complete guide to sign your commits with an ssh key
Christophe Colombier γ» Apr 7
Thanks. One thing is missing: How would you verify the signature? With gpg there is at least the possibility to retrieve the public key from a key server. There is no such thing for ssh. How would you manage the public keys of your peers to verify the signed commits?
I will detail with my next post. Here you rely on GitHub/GitLab.
I made some research and GPG signing seems to remain the reference in term of security because:
@imransaifi but in my article I already wrote the part about allowed_signers file inside the repository
Lol. Indeed. I quoted a wrong one. I'll write one on dev.to if I don't find one.
I just updated the article. Thanks for commenting and letting me know.
I just updated the article with the screenshot of a signed commit. I missed that.
Thanks for letting me know.
Thanks. I will definitely try with ssh key. I was using GPG key and thought that GPG keys are more secure. But now I will definitely try other methods too.
You can sign your commits with your email address, the user signing key and the
-Sflag. And if you are working in a private company project, for example, you would be using a company email address, so it seems overkill to do this whole approach with GPG. It is rubbing me off a tad with sharing your GPG key with others as well, seems a bit insecure to me π€Well, sharing your public key with others is the whole point of gpg. This way people can verify your signed commit is actually yours...
Thanks for sharing! I will defintely try other things as well. I just thought GPG is little more secure than other options. But after your suggestion, I will definitely other options as well.
How can the others team members see if commits are signed ??
I updated the article with the screenshot of a signed commit.
Thankyou so much for commenting Jesus.
Thanks for sharing, Imran!
You're welcome Madhu.
Good guide
Thankyou Bart