Git - how and why sign commits

abstract

You should always sign your git commits.Why?

Why to sign commits

The git commits are super easy referenced to a user. Anyone all around the world is able to push commits with another name. The reference is done in the commit message with theuser.email.

You can try yourself. Just create a new repository in a folder of your choice.

Let's create locally a git repository.

mkdirsign_commitscdsign_commitsgit init

First lets check our current global settings

$git config--global user.emailjane.doe@world.universe

and compare them with our local git repo settings

git config user.email

Those are the same. Now lets change the local git repo settings

git config user.email'john.doe@example.dev'

Remark You can also usegit config <--global> --edit to edit all configuration values in editor

Lets now check the current settings and compare them to the global settings.

git config user.emailgit config--global user.email

You can see that those differ. This does not give us any value for our current context,
but I wanted to make sure that we do not touch our global settings.

Now lets create a commit and check the history.

echo"# git sign commits">> README.mdgit add.git commit-m"doc(): add some super nice docs"git log

Now lets change the user name and the mail and lets do another commit.

git config user.email'fake.me@fake.me'git config user.name'fake me'echo"if the account exists e.q. on github.com the commit will be assigned to that person">> README.mdgit add.git commit-m"doc(): add some super nice docs"git log

You can see that the second commit is assigned tofake me with mail addressfake.me@fake.me.
If you are using github.com as your git provider and push the commit and also the mail addressfake.me@fake.me is registered to an existing user, the commit will be assigned to that user.

As you can see it is super easy to make commits in names of other persons.
Like an example? Here is a prank of a fake Linus Torvalds stating thatlinux is deleted.

As you can imagine there are not only pranks. This is a security issue. Imagine you are working in a team on a open source project on github. A teammate (who is a fake) is opening a pull request. You know that the original team mate is a great coder and you don't check in detail the changes and merge them into your main branch. This is obviously an attack vector. How to prevent?start signing your commits today

How to sign commits

It is possible to sign git commits withGPG.
First lets revert our fake changes.

git config--user.name'john doe'git config--user.email'john.doe@example.dev'

Now we need to create a gpg key

gpg--gen-key

Follow the Dialog nd save withO.
Now lets grab the Key-id and add it to the git config

$gpg--list-key$(git config user.email)$git config[--global] user.signingkey <key_id>

Now you are able to sign your commits with the-S flag or you add it to the git settings to make it default behaviour.

git config[--global] commit.gpgsigntrue

Now lets check what has changed. We first create a signed commit and check the signature.

echo"now the commits are signed">> README.mdgit add.git commit-S-m"doc(): now with signed commit :star:"git log--show-signatur

You should now also add the key to your git provider settings so that the git provider will verify the signature.

Further readings

• github sign commits
• git sign commits