DEV Community

Cover image for How to Sign Your Commits: A Guide for Git Users
Mohammad Imran
Mohammad Imran

Posted on • Originally published at imransaifi.hashnode.dev on

How to Sign Your Commits: A Guide for Git Users

Why Sign Your Commits?

Before learning how to sign commits, we will learn why signing your commits is important.

Commit signing offers several benefits for both individual developers and collaborative projects:

  1. Code Integrity : Signing your commits verifies that they were indeed authored by you and have not been tampered with since. This helps maintain the integrity of the codebase and ensures that only trusted changes are accepted.

  2. Attribution : Signed commits provide clear attribution, allowing project maintainers and collaborators to identify the author of each change accurately.

  3. Trust and Verification : By signing your commits with a cryptographic key, you establish trust in your contributions. Other developers can verify the authenticity of your commits using your public key, thereby increasing confidence in the codebase.

  4. Compliance and Audit Trails : In certain industries or projects with strict regulatory requirements, commit signing helps maintain compliance and provides an audit trail for all changes made to the codebase.

How to Sign Your Commits

Signing your commits involves a few simple steps. Below, we outline the process using Git and GPG (GNU Privacy Guard), a widely-used open-source encryption software:

Step 1: Install GPG

If you haven't already, install GPG on your system. You can download and install GPG from the official website for Windows and MacOS or use your package manager for Linux distributions.

I am using Ubuntu. GPG is already installed on that. Check it by using the gpg --help command.

Step 2: Generate a GPG Key Pair

Generate a new GPG key pair using the gpg --full-generate-key command. Follow the prompts to enter your type of key, key bit size, expiration time, name, email address, and passphrase. This passphrase will be used to protect your private key, so choose a strong and memorable one.

πŸ’‘

Recommendation: the key size should be 4096 bits as its the most secure.

πŸ’‘

Recommendation: select key type 1 that is RSA and RSA which will be helpful in encrypting the commits and alot of other things and not just signing the commits

Step 3: List Your GPG Keys

List the GPG keys on your system using gpg --list-secret-keys --keyid-format LONG. This command will display a list of GPG keys along with their associated IDs.

Step 4: Configure Git to Use Your GPG Key

Configure Git to use your GPG key for signing commits by running the following commands:

git config --global user.signingkey <GPG_KEY_ID>git config --global commit.gpgsign true
Enter fullscreen mode Exit fullscreen mode

Replace <GPG_KEY_ID> with the ID of your GPG key, which you obtained from the previous step.

Step 5: Make a Signed Commit

Now, whenever you make a commit, add the -S flag to sign it with your GPG key:

git commit -S -m "Your commit message"
Enter fullscreen mode Exit fullscreen mode

Your commit is now signed with your GPG key, and the signature is embedded in the commit metadata.

Image description

Step 6: Share Your Public Key

To allow others to verify your signed commits, share your GPG public key with them. You can export your public key using:

gpg --armor --export <YOUR_EMAIL>
Enter fullscreen mode Exit fullscreen mode

Replace <YOUR_EMAIL> with the email address associated with your GPG key. Share the exported public key through key servers, email, or other secure channels.

Step 7: Add your GPG key to your Github account

To enable GitHub to recognize your signed commits and display a "Verified" badge next to them, you need to add your GPG key to your GitHub account.

Copy Your GPG Key : Copy the output including -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK----- from the previous step

Go to your GitHub settings > SSH and GPG keys > New GPG key

Paste Your GPG Key : Paste your GPG public key into the Key field.

Click Add GPG key to save it to your GitHub account.

Now Your GPG key is added to you GitHub account.

Once you've added your GPG key to your GitHub account, GitHub will recognize your signed commits and display a "Verified" badge next to them. This provides additional validation of your commits' authenticity to other contributors and users of the repository.

Conclusion

Signing your commits is a simple yet effective way to enhance the security and trustworthiness of your contributions to a Git repository. By following the steps outlined in this guide, you can start signing your commits today and contribute to a more secure and transparent development process. Whether you're working on open-source projects or proprietary software, commit signing helps ensure the integrity and authenticity of your code changes, fostering a culture of trust and collaboration within the developer community.

Top comments (20)

Collapse
 
ccoveille profile image
Christophe Colombier • Edited

Signing commit with ssh key is more easy to setup and should be considered as the default method.

dev.to/igmrrf/adding-ssh-keys-to-y...

GPG world comes with a lot of issues and background

Collapse
 
syeo66 profile image
Red Ochsenbein (he/him)

And where in this article are the commits signed?

Collapse
 
ccoveille profile image
Christophe Colombier
Thread Thread
 
syeo66 profile image
Red Ochsenbein (he/him)

Thanks. One thing is missing: How would you verify the signature? With gpg there is at least the possibility to retrieve the public key from a key server. There is no such thing for ssh. How would you manage the public keys of your peers to verify the signed commits?

Thread Thread
 
ccoveille profile image
Christophe Colombier • Edited

I will detail with my next post. Here you rely on GitHub/GitLab.

I made some research and GPG signing seems to remain the reference in term of security because:

  • you can revoke a GPG key
  • you can set an expiration for a GPG key
  • there is "global authority"
Thread Thread
 
ccoveille profile image
Christophe Colombier

@imransaifi but in my article I already wrote the part about allowed_signers file inside the repository

Collapse
 
ccoveille profile image
Christophe Colombier

Lol. Indeed. I quoted a wrong one. I'll write one on dev.to if I don't find one.

Thread Thread
 
imransaifi profile image
Mohammad Imran

I just updated the article. Thanks for commenting and letting me know.

Collapse
 
imransaifi profile image
Mohammad Imran

I just updated the article with the screenshot of a signed commit. I missed that.
Thanks for letting me know.

Collapse
 
imransaifi profile image
Mohammad Imran

Thanks. I will definitely try with ssh key. I was using GPG key and thought that GPG keys are more secure. But now I will definitely try other methods too.

Collapse
 
bcostaaa01 profile image
Bruno

You can sign your commits with your email address, the user signing key and the -S flag. And if you are working in a private company project, for example, you would be using a company email address, so it seems overkill to do this whole approach with GPG. It is rubbing me off a tad with sharing your GPG key with others as well, seems a bit insecure to me πŸ€”

Collapse
 
syeo66 profile image
Red Ochsenbein (he/him)

Well, sharing your public key with others is the whole point of gpg. This way people can verify your signed commit is actually yours...

Collapse
 
imransaifi profile image
Mohammad Imran

Thanks for sharing! I will defintely try other things as well. I just thought GPG is little more secure than other options. But after your suggestion, I will definitely other options as well.

Collapse
 
artnous profile image
Jesus Pacheco

How can the others team members see if commits are signed ??

Collapse
 
syeo66 profile image
Red Ochsenbein (he/him)
git log --show-signature
Enter fullscreen mode Exit fullscreen mode
Collapse
 
imransaifi profile image
Mohammad Imran

I updated the article with the screenshot of a signed commit.
Thankyou so much for commenting Jesus.

Collapse
 
madhusaini22 profile image
Madhu Saini

Thanks for sharing, Imran!

Collapse
 
imransaifi profile image
Mohammad Imran

You're welcome Madhu.

Collapse
 
bart97coder profile image
Bart97coder

Good guide

Collapse
 
imransaifi profile image
Mohammad Imran

Thankyou Bart