How to Sign Your Commits: A Guide for Git Users
#git#github#securecoding
Mohammad Imran

Mohammad Imran @imransaifi

About: DevOps 👨‍💻 | AWS Community builder | Co-Founder at GrowInCommunity | DevRel Enthusiast 🥑 | Tech Blogger 👨‍💻 | Cloud Computing | Cloud Native | Open Source Contribution.

Location:
India
Joined:
Sep 8, 2022

How to Sign Your Commits: A Guide for Git Users

Publish Date: Apr 4 '24
13 20

Why Sign Your Commits?

Before learning how to sign commits, we will learn why signing your commits is important.

Commit signing offers several benefits for both individual developers and collaborative projects:

  1. Code Integrity : Signing your commits verifies that they were indeed authored by you and have not been tampered with since. This helps maintain the integrity of the codebase and ensures that only trusted changes are accepted.

  2. Attribution : Signed commits provide clear attribution, allowing project maintainers and collaborators to identify the author of each change accurately.

  3. Trust and Verification : By signing your commits with a cryptographic key, you establish trust in your contributions. Other developers can verify the authenticity of your commits using your public key, thereby increasing confidence in the codebase.

  4. Compliance and Audit Trails : In certain industries or projects with strict regulatory requirements, commit signing helps maintain compliance and provides an audit trail for all changes made to the codebase.

How to Sign Your Commits

Signing your commits involves a few simple steps. Below, we outline the process using Git and GPG (GNU Privacy Guard), a widely-used open-source encryption software:

Step 1: Install GPG

If you haven't already, install GPG on your system. You can download and install GPG from the official website for Windows and MacOS or use your package manager for Linux distributions.

I am using Ubuntu. GPG is already installed on that. Check it by using the gpg --help command.

Step 2: Generate a GPG Key Pair

Generate a new GPG key pair using the gpg --full-generate-key command. Follow the prompts to enter your type of key, key bit size, expiration time, name, email address, and passphrase. This passphrase will be used to protect your private key, so choose a strong and memorable one.

💡

Recommendation: the key size should be 4096 bits as its the most secure.

💡

Recommendation: select key type 1 that is RSA and RSA which will be helpful in encrypting the commits and alot of other things and not just signing the commits

Step 3: List Your GPG Keys

List the GPG keys on your system using gpg --list-secret-keys --keyid-format LONG. This command will display a list of GPG keys along with their associated IDs.

Step 4: Configure Git to Use Your GPG Key

Configure Git to use your GPG key for signing commits by running the following commands:

git config --global user.signingkey <GPG_KEY_ID>git config --global commit.gpgsign true
Enter fullscreen mode Exit fullscreen mode

Replace <GPG_KEY_ID> with the ID of your GPG key, which you obtained from the previous step.

Step 5: Make a Signed Commit

Now, whenever you make a commit, add the -S flag to sign it with your GPG key:

git commit -S -m "Your commit message"
Enter fullscreen mode Exit fullscreen mode

Your commit is now signed with your GPG key, and the signature is embedded in the commit metadata.

Image description

Step 6: Share Your Public Key

To allow others to verify your signed commits, share your GPG public key with them. You can export your public key using:

gpg --armor --export <YOUR_EMAIL>
Enter fullscreen mode Exit fullscreen mode

Replace <YOUR_EMAIL> with the email address associated with your GPG key. Share the exported public key through key servers, email, or other secure channels.

Step 7: Add your GPG key to your Github account

To enable GitHub to recognize your signed commits and display a "Verified" badge next to them, you need to add your GPG key to your GitHub account.

Copy Your GPG Key : Copy the output including -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK----- from the previous step

Go to your GitHub settings > SSH and GPG keys > New GPG key

Paste Your GPG Key : Paste your GPG public key into the Key field.

Click Add GPG key to save it to your GitHub account.

Now Your GPG key is added to you GitHub account.

Once you've added your GPG key to your GitHub account, GitHub will recognize your signed commits and display a "Verified" badge next to them. This provides additional validation of your commits' authenticity to other contributors and users of the repository.

Conclusion

Signing your commits is a simple yet effective way to enhance the security and trustworthiness of your contributions to a Git repository. By following the steps outlined in this guide, you can start signing your commits today and contribute to a more secure and transparent development process. Whether you're working on open-source projects or proprietary software, commit signing helps ensure the integrity and authenticity of your code changes, fostering a culture of trust and collaboration within the developer community.

Comments 20 total

  • Christophe Colombier
    Christophe ColombierApr 4, 2024

    Signing commit with ssh key is more easy to setup and should be considered as the default method.

    dev.to/igmrrf/adding-ssh-keys-to-y...

    ccoveille

    Git: The complete guide to sign your commits with an ssh key

    Christophe Colombier ・ Apr 7

    #git #ssh #tutorial

    GPG world comes with a lot of issues and background

    • Red Ochsenbein (he/him)
      Red Ochsenbein (he/him)Apr 5, 2024

      And where in this article are the commits signed?

    • Mohammad Imran
      Mohammad ImranApr 5, 2024

      Thanks. I will definitely try with ssh key. I was using GPG key and thought that GPG keys are more secure. But now I will definitely try other methods too.

  • Jesus Pacheco
    Jesus PachecoApr 5, 2024

    How can the others team members see if commits are signed ??

    • Mohammad Imran
      Mohammad ImranApr 5, 2024

      I updated the article with the screenshot of a signed commit.
      Thankyou so much for commenting Jesus.

    • Red Ochsenbein (he/him)
      Red Ochsenbein (he/him)Apr 7, 2024
      git log --show-signature
      Enter fullscreen mode Exit fullscreen mode
  • Bart97coder
    Bart97coderApr 5, 2024

    Good guide

  • Madhu Saini
    Madhu SainiApr 5, 2024

    Thanks for sharing, Imran!

  • Bruno
    BrunoApr 5, 2024

    You can sign your commits with your email address, the user signing key and the -S flag. And if you are working in a private company project, for example, you would be using a company email address, so it seems overkill to do this whole approach with GPG. It is rubbing me off a tad with sharing your GPG key with others as well, seems a bit insecure to me 🤔

    • Mohammad Imran
      Mohammad ImranApr 5, 2024

      Thanks for sharing! I will defintely try other things as well. I just thought GPG is little more secure than other options. But after your suggestion, I will definitely other options as well.

    • Red Ochsenbein (he/him)
      Red Ochsenbein (he/him)Apr 7, 2024

      Well, sharing your public key with others is the whole point of gpg. This way people can verify your signed commit is actually yours...

Add comment