Signing Git Commits

Protect your code commits from malicious changes by GPG-signing them.

Often when people talk about GPG, they focus on encryption—GPG’s ability to
protect a file or message so that only someone who has the appropriate
private key can read it. Yet, one of the most important functions GPG offers
is signing. Where encryption protects a file or message so that only the
intended recipient can decrypt and read it, GPG signing proves that the
message was sent by the sender (whomever has control over the private key used
to sign) and has not been altered in any way from what the sender wrote.

Without GPG signing, you could receive encrypted email that only you could
open, but you wouldn’t be able to prove that it was from the sender. But,
GPG signing has applications far beyond email. If you use a modern Linux
distribution, it uses GPG signatures on all of its packages, so you can be
sure that any software you install from the distribution hasn’t been altered
to add malicious code after it was packaged. Some distributions even GPG-sign
their ISO install files as a stronger form of MD5sum or SHA256sum to verify
not only that the large ISO downloaded correctly (MD5 or SHA256 can do that),
but also that the particular ISO you are downloading from some random mirror
is the same ISO that the distribution created. A mirror could change the
file and generate new MD5sums, and you may not notice, but it couldn’t
generate valid GPG signatures, as that would require access to the
distribution’s signing key.

Why Sign Git Commits

As useful as signing packages and ISOs is, an even more important use of GPG
signing is in signing Git commits. When you sign a Git commit, you can prove
that the code you submitted came from you and wasn’t altered while you were
transferring it. You also can prove that you submitted the code and not
someone else.

Being able to prove who wrote a snippet of code isn’t so you know who to
blame for bugs so the person can’t squirm out of it. Signing Git commits is
important because in this age of malicious code and back doors, it helps
protect you from an attacker who might otherwise inject malicious code into
your codebase. It also helps discourage untrustworthy developers from
adding their own back doors to the code, because once it’s discovered, the bad
code will be traced to them.

How to Sign Git Commits

The simplest way to sign Git commits is by adding the -S option
to the git
command. First, figure out your GPG key ID with:

Powered by WPeMatico