What is commit signing Link to heading
Signing a commit means adding a cryptographic hash which can be only generated through the author’s private key (called “signature”), thus verifying the identity of the author of the commit. To sign a commit, a developer uses a GPG (GNU Privacy Guard) key. GPG allows you to encrypt and sign your data and communications; it features a versatile key management system and access modules for all kinds of public key directories 2.
When an author creates a GPG signature, it is generated as a combination of a private key and a public key, the private key is saved on the author’s computer, and the public key is shared with the version control system, which uses the public key to verify the commits which contain a hash generated using the private key.
Why you should sign a git commit Link to heading
Avoid impersonations Link to heading
If an author does not sign their commits, it becomes simple to impersonate them. Anyone who has access to contribute to a repository can update git config user.email
and git config user.name
to the details of the author who does not sign their commits impersonating the author.
You can avoid impersonations when you sign commits; as a commit can only be signed by the author’s private key (or someone with the author’s private key), a signed commit becomes proof that the author made the commit from the commit details. Programs like GPG provide a way to generate and manage keys (signatures) and sign commits only after entering a signing password, making using a compromised private key difficult. When you habitually sign all your commits, an unsigned commit can be flagged as an impersonation for further investigation.
Secure repository against malicious changes Link to heading
Suppose an attacker tries to impersonate a repository collaborator who has been making regular stable updates. In that case, the attacker can create a pull request (or a merge request) impersonating an author, increasing the odds of getting approval on the code changes.
Safety against supply chain attacks Link to heading
A supply chain attack is a cyber-attack where an attacker targets a company or organization’s supply chain, including all the vendors, suppliers, and contractors the organization relies on to conduct its operations.
In a supply chain attack, a malicious user can insert code and backdoor vulnerabilities in open-source libraries and packages used in applications in different companies. When the companies update their code to use the updated libraries, the attacker exploits the vulnerabilities and attacks the applications.
In other instances, a disgruntled employee who knows internal libraries and packages used by an application creates a replica in open source with the same name with a newer version. When a company uses a mix of internal libraries and open-source code, the package managers pull in code from open-source instead of the internal repositories, which inject applications with malicious code.
When a repository enforces signing commits, it provides authenticity that all the code in the repository comes from accepted collaborators. Having commit signing enforced in the repository, which provides critical features, ensures the repository is compromised with a supply chain attack.
The verification badge Link to heading
A signed commit shows up with the Verified
badge in the source control system.
How to sign commits with Github Link to heading
Setup your GPG key Link to heading
- Install the latest version of GPG tools from https://www.gnupg.org/download/.
- Generate a GPG key pair
gpg --full-generate-key
- View the generated key
gpg --list-keys
Setup Git CLI to sign commits by default Link to heading
git config --global commit.gpgsign true
git config --global user.signingkey <signingkey_key_id>
Add GPG key to your Github account 1 Link to heading
- In the upper-right corner of any page, click your profile photo, then click Settings.
- In the “Access” section of the sidebar, click SSH and GPG keys.
- Next to the “GPG keys” header, click New GPG key.
- In the “Title” field, type a name for your GPG key.
- In the “Key” field, paste the GPG key you copied when you generated your GPG key.
- Click Add GPG key.
- To confirm the action, authenticate to your GitHub account.
Enforce signed commits Link to heading
When working with critical repositories, enforcing signed commits on your GitHub repositories can protect your libraries from impersonation and supply chain attacks.
- Go to your Github repo and click
Settings
. - Click
Branches
. - Click
Edit
on your main branch. - Under
Protect matching branches
, checkRequire signed commits
. - Click
Save Changes
.