How to Sign Your Commits: A Guide for Git Users

How to Sign Your Commits: A Guide for Git Users

Boost Your Code Security, Learn How to Sign Your Commits Like a Pro

Mohd Imran's photo
Mohd Imran
ยท

4 min read

Table of contents

Why Sign Your Commits?

Before learning how to sign commits, we will learn why signing your commits is important.

Commit signing offers several benefits for both individual developers and collaborative projects:

  1. Code Integrity: Signing your commits verifies that they were indeed authored by you and have not been tampered with since. This helps maintain the integrity of the codebase and ensures that only trusted changes are accepted.

  2. Attribution: Signed commits provide clear attribution, allowing project maintainers and collaborators to identify the author of each change accurately.

  3. Trust and Verification: By signing your commits with a cryptographic key, you establish trust in your contributions. Other developers can verify the authenticity of your commits using your public key, thereby increasing confidence in the codebase.

  4. Compliance and Audit Trails: In certain industries or projects with strict regulatory requirements, commit signing helps maintain compliance and provides an audit trail for all changes made to the codebase.

How to Sign Your Commits

Signing your commits involves a few simple steps. Below, we outline the process using Git and GPG (GNU Privacy Guard), a widely-used open-source encryption software:

Step 1: Install GPG

If you haven't already, install GPG on your system. You can download and install GPG from the official website for Windows and MacOS or use your package manager for Linux distributions.

I am using Ubuntu. GPG is already installed on that. Check it by using the gpg --help command.

Step 2: Generate a GPG Key Pair

Generate a new GPG key pair using the gpg --full-generate-key command. Follow the prompts to enter your type of key, key bit size, expiration time, name, email address, and passphrase. This passphrase will be used to protect your private key, so choose a strong and memorable one.

๐Ÿ’ก
Recommendation: the key size should be 4096 bits as its the most secure.
๐Ÿ’ก
Recommendation: select key type 1 that is RSA and RSA which will be helpful in encrypting the commits and alot of other things and not just signing the commits

Step 3: List Your GPG Keys

List the GPG keys on your system using gpg --list-secret-keys --keyid-format LONG. This command will display a list of GPG keys along with their associated IDs.

Step 4: Configure Git to Use Your GPG Key

Configure Git to use your GPG key for signing commits by running the following commands:

git config --global user.signingkey <GPG_KEY_ID>
git config --global commit.gpgsign true

Replace <GPG_KEY_ID> with the ID of your GPG key, which you obtained from the previous step.

Step 5: Make a Signed Commit

Now, whenever you make a commit, add the -S flag to sign it with your GPG key:

git commit -S -m "Your commit message"

Your commit is now signed with your GPG key, and the signature is embedded in the commit metadata.

Step 6: Share Your Public Key

To allow others to verify your signed commits, share your GPG public key with them. You can export your public key using:

gpg --armor --export <YOUR_EMAIL>

Replace <YOUR_EMAIL> with the email address associated with your GPG key. Share the exported public key through key servers, email, or other secure channels.

Step 7: Add your GPG key to your Github account

To enable GitHub to recognize your signed commits and display a "Verified" badge next to them, you need to add your GPG key to your GitHub account.

Copy Your GPG Key: Copy the output including -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK----- from the previous step

Go to your GitHub settings > SSH and GPG keys > New GPG key

Paste Your GPG Key: Paste your GPG public key into the Key field.

Click Add GPG key to save it to your GitHub account.

Now Your GPG key is added to you GitHub account.

Once you've added your GPG key to your GitHub account, GitHub will recognize your signed commits and display a "Verified" badge next to them. This provides additional validation of your commits' authenticity to other contributors and users of the repository.

Conclusion

Signing your commits is a simple yet effective way to enhance the security and trustworthiness of your contributions to a Git repository. By following the steps outlined in this guide, you can start signing your commits today and contribute to a more secure and transparent development process. Whether you're working on open-source projects or proprietary software, commit signing helps ensure the integrity and authenticity of your code changes, fostering a culture of trust and collaboration within the developer community.

Did you find this article valuable?

Support Mohd Imran by becoming a sponsor. Any amount is appreciated!

GitHubGitsign commitsSecure Coding PracticesOpen Source
ย