DEV Community

Cover image for How to Sign Your Commits: A Guide for Git Users

How to Sign Your Commits: A Guide for Git Users

Mohammad Imran on April 04, 2024

Why Sign Your Commits? Before learning how to sign commits, we will learn why signing your commits is important. Commit signing offers ...
Collapse
 
ccoveille profile image
Christophe Colombier • Edited

Signing commit with ssh key is more easy to setup and should be considered as the default method.

dev.to/igmrrf/adding-ssh-keys-to-y...

GPG world comes with a lot of issues and background

Collapse
 
syeo66 profile image
Red Ochsenbein (he/him)

And where in this article are the commits signed?

Collapse
 
ccoveille profile image
Christophe Colombier
Thread Thread
 
syeo66 profile image
Red Ochsenbein (he/him)

Thanks. One thing is missing: How would you verify the signature? With gpg there is at least the possibility to retrieve the public key from a key server. There is no such thing for ssh. How would you manage the public keys of your peers to verify the signed commits?

Thread Thread
 
ccoveille profile image
Christophe Colombier • Edited

I will detail with my next post. Here you rely on GitHub/GitLab.

I made some research and GPG signing seems to remain the reference in term of security because:

  • you can revoke a GPG key
  • you can set an expiration for a GPG key
  • there is "global authority"
Thread Thread
 
ccoveille profile image
Christophe Colombier

@imransaifi but in my article I already wrote the part about allowed_signers file inside the repository

Collapse
 
ccoveille profile image
Christophe Colombier

Lol. Indeed. I quoted a wrong one. I'll write one on dev.to if I don't find one.

Thread Thread
 
imransaifi profile image
Mohammad Imran

I just updated the article. Thanks for commenting and letting me know.

Collapse
 
imransaifi profile image
Mohammad Imran

I just updated the article with the screenshot of a signed commit. I missed that.
Thanks for letting me know.

Collapse
 
imransaifi profile image
Mohammad Imran

Thanks. I will definitely try with ssh key. I was using GPG key and thought that GPG keys are more secure. But now I will definitely try other methods too.

Collapse
 
bcostaaa01 profile image
Bruno

You can sign your commits with your email address, the user signing key and the -S flag. And if you are working in a private company project, for example, you would be using a company email address, so it seems overkill to do this whole approach with GPG. It is rubbing me off a tad with sharing your GPG key with others as well, seems a bit insecure to me 🤔

Collapse
 
syeo66 profile image
Red Ochsenbein (he/him)

Well, sharing your public key with others is the whole point of gpg. This way people can verify your signed commit is actually yours...

Collapse
 
imransaifi profile image
Mohammad Imran

Thanks for sharing! I will defintely try other things as well. I just thought GPG is little more secure than other options. But after your suggestion, I will definitely other options as well.

Collapse
 
artnous profile image
Jesus Pacheco

How can the others team members see if commits are signed ??

Collapse
 
syeo66 profile image
Red Ochsenbein (he/him)
git log --show-signature
Enter fullscreen mode Exit fullscreen mode
Collapse
 
imransaifi profile image
Mohammad Imran

I updated the article with the screenshot of a signed commit.
Thankyou so much for commenting Jesus.

Collapse
 
madhusaini22 profile image
Madhu Saini

Thanks for sharing, Imran!

Collapse
 
imransaifi profile image
Mohammad Imran

You're welcome Madhu.

Collapse
 
bart97coder profile image
Bart97coder

Good guide

Collapse
 
imransaifi profile image
Mohammad Imran

Thankyou Bart