Sign your git commits now !

, , , ,

In this blog post, we will talk about git commits and how to protect yourself and your organization from spoofing. As you may know, when you use Git, you can set whoever you want as a commit author. You can commit as Linus Torvalds if you want.

All you need to do to impersonate someone is :

git config --global user.name "Linus Torvalds"
git config --global user.email "[email protected]"

Git add, commit & push ! Voilà !

Git commits spoofing screenshot

How to sign your git commits using GPG

There are many ways to generate a gpg keypair. You can either use the plain gpg command or keybase.

Personally, I like Keybase. It allows you to manage your gpg keys easily and it’s very simple to use. You can sync your keys on multiple computers and many other features.

Configure git

I assume that you have already installed and configured GnuPG (through keybase or other methods)

If it’s done, this command should give you the identifier of your secret key :

gpg --list-secret-keys --keyid-format LONG

You can also verify that you have properly configured your public key

gpg --list-keys --keyid-format LONG

You can enable commit signing on-demand using the -S option of the git command. Once per session (this first time), you will have to fill in your private key passphrase.

git commit -S -m "My signed commit"

If you want to enable signing for all your commits, you can configure it globally :

git config --global user.signingkey $(gpg --list-keys --keyid-format LONG| grep pub | grep -o -P '(?<=/)[A-Z0-9]{16}')
git config --global commit.gpgsign true

Unverified signed commit

The commit is now signed, but it’s not verified by Github.

You need to get your public key for the next step

gpg --armor --export EMAIL_ADDRESS

Verify commit - Github

Go to the SSH and GPG keys settings page on Github and click on New GPG key button. Then add your public key and click Add GPG key.

Add gpg key github

Verified commit

Verify commit - Gitlab

Go to the GPG Keys settings page on Gitlab. Paste your public key and click on Add key.

Add gpg key gitlab

Verified commit

GPG

You know now how to sign your git commits using GPG and protect yourself from spoofing. GPG has many usages, you can encrypt communication (email), files, artifacts… Signing artifacts is a good idea for a future blog post ;)