Skip to content

Instantly share code, notes, and snippets.

@rafaelrinaldi

rafaelrinaldi/README.md

Last active December 15, 2015 16:57
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save rafaelrinaldi/556a1bcb5ab80890bb9e to your computer and use it in GitHub Desktop.
Save rafaelrinaldi/556a1bcb5ab80890bb9e to your computer and use it in GitHub Desktop.
Download ZIP
Signing Git commits
Raw
README.md

Signing Git commits

Why

Because after reading this blog post (sent by my dear friend @hugobessaa) I got paranoid. It's a little effort that can avoid a lot of trouble.

The problem

  1. User changes the commit author using the --author option
  2. The commit then introduces a new bug (blaming the new author)
  3. Crackers explore this breach 💀
  4. An audit will not be able to identify who was the commit author

The solution

Since Git 1.7.2, one can sign commits (and tags) using their own GPG key.

How

  • Install gpg. You can install it from Homebrew:
$ brew install gpg
  • Generate a fresh key:
$ gpg --gen-key # Default options are fine
  • Now list all secret keys and copy the content from the sec row after the first /. Something like this:
$ gpg --list-secret-keys
/Users/your-user/.gnupg/secring.gpg
---------------------------------------
sec   XXXXX/YYYYYYYY 2015-01-01
uid                  Your Name (Your Comment) <your@email.com>
ssb   XXXXX/ZZZZZZZZ 2015-01-01

# What you want is that YYYYYYYY
  • Register your key to your Git configuration file:
$ git config --global user.signingkey your-key
  • You can now sign commits by using git commit -S. You might want to add it as an alias to your .gitconfig:
[alias]
  commit = commit -S
  • Profit 💰

Further Reading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment