Index

Git commit signing: Verifying code authenticity

Greg Foster
Greg Foster
Graphite software engineer
Try Graphite

Note

This guide explains this concept in vanilla Git. For Graphite documentation, see our CLI docs.


Table of contents

What is a signed commit?

A signed Git commit is a commit that includes a cryptographic signature, typically generated using GPG (GNU Privacy Guard) or SSH keys. This signature verifies that the commit was made by the holder of the corresponding private key and that the commit's content has not been altered since it was signed.

When a commit is signed, GitHub and other platforms can display a "Verified" badge, indicating that the commit's authenticity has been confirmed. This process helps ensure that the code changes originate from a trusted source and have not been tampered with.

Why signed git commits matter

Unsigned commits can be easily spoofed, as Git allows users to set arbitrary author names and email addresses. This flexibility, while useful, means that without verification, there's no guarantee that a commit truly comes from the claimed author.

By signing commits:

  • Authenticity is established: Only someone with access to the private key can produce a valid signature, confirming the author's identity.
  • Integrity is maintained: Any changes to the commit after signing will invalidate the signature, signaling potential tampering.
  • Trust is built: Collaborators and users can trust that the code they're reviewing or using comes from a verified source.

This is particularly important in open-source projects and environments where code integrity and provenance are critical.

How to sign git commits

Using GPG

  1. Generate a GPG key:

    Terminal
    gpg --full-generate-key

    Follow the prompts to create your key.

  2. List your GPG keys:

    Terminal
    gpg --list-secret-keys --keyid-format=long

  3. Configure Git to use your GPG key:

    Terminal
    git config --global user.signingkey YOUR_KEY_ID
    git config --global commit.gpgsign true

  4. Sign a commit:

    Terminal
    git commit -S -m "Your commit message"

  5. Add your GPG public key to GitHub: Export your public key:

    Terminal
    gpg --armor --export YOUR_KEY_ID

    Then, add it to your GitHub account settings under "SSH and GPG keys".

Using SSH

Starting with Git 2.34, you can sign commits using SSH keys:

  1. Generate an SSH key (if you don't have one):

    Terminal
    ssh-keygen -t ed25519 -C "your_email@example.com"

  2. Configure Git to use your SSH key for signing:

    Terminal
    git config --global gpg.format ssh
    git config --global user.signingkey ~/.ssh/id_ed25519
    git config --global commit.gpgsign true

  3. Add your SSH public key to GitHub: Copy the contents of your id_ed25519.pub file and add it to your GitHub account settings under "SSH and GPG keys". When adding the key, be sure to select "Signing Key" as the key type from the dropdown menu (not the default "Authentication Key" option).

Verifying signed commits

To verify the signature of a commit:

Terminal
git log --show-signature

This command displays the signature information for each commit, indicating whether the signature is valid and who signed it.

For a specific commit:

Terminal
git verify-commit COMMIT_HASH

This checks the validity of the signature on the specified commit.

Integrating commit signing with Graphite

Graphite is a tool that enhances Git workflows, particularly for managing stacked pull requests. It supports commit signing to maintain the integrity and authenticity of your commits during operations like rebasing.

To enable commit signing in Graphite:

  1. Generate a GPG key within Graphite or import an existing one.

  2. Add your public key to GitHub to ensure that signed commits are recognized and marked as verified.

  3. Configure Graphite to use your GPG key for signing commits during its operations.

By integrating commit signing with Graphite, you ensure that all commits made through Graphite are authenticated and trusted, aligning with best practices for secure software development.

Conclusion

By adopting signed Git commits, you enhance the security and trustworthiness of your codebase, making it more resilient against impersonation and tampering. Tools like Graphite further streamline this process, integrating commit signing into advanced Git workflows.

Related guides

Establishing code ownership best practices

This guide explains how to implement effective code ownership strategies using GitHub CODEOWNERS and...

Sapling

Sapling: A Source Control System developed at Meta, designed to emphasize usability and scalability....

How to create and apply Git patches

This guide will explain what a patch is, how to create them from Git diffs, and how to apply those p...

Last modified 28 days ago

0 min read
On this page
Share
Git inspired
Graphite's CLI and VS Code extension make working with Git effortless.
Learn more

Built for the world's fastest engineering teams, now available for everyone

Request a demo
Start free trial