Sign your Git Commits
Git is a tool that I and many other developers use daily as our driver of choice for managing code, collaborating with teammates, and keeping track of every change in a project's history.
Working with multiple projects at the same time and contributing to different projects can make it surprisingly easy for bad actors to slip in malicious changes or manipulate your code without you noticing. Surprisingly, there are various resources out there on the internet on how you can hijack someone's identity and spoof git commits. So signing your commits will be a great way to increase trust that it’s genuinely you behind the changes, and not someone else impersonating your account.
So why is signing your git commits not so broadly represented as of right now? Maybe because it was not possible back in the days to use SSH keys for signing, but only GPG keys.
I won't go into detail on how you can use GPG keys or projects like gitsign to sign your commits, but I want to show you how you can use SSH keys for this.
Sign your work with SSH Keys
Using SSH keys to sign your git commits works for GitHub, GitLab, and BitBucket too. Theoretically, you could use the same key pair for signing that you already use for authentication, but for the sake of clean separation, I will use a different key pair. The next steps assume that you already have an existing key pair to use.
The first step is to add your SSH public key to the list of verified signing keys:
After doing this, we can configure our local git client to use the key to sign our commits. To do this, you can add the following configuration to your .gitconfig:
[gpg]
format = ssh
[user]
signingKey = ~/$path_to_pub_key
[commit]
gpgsign = trueConfigurational parameters to use SSH keys as signing keys.
This configuration ensures that git will use your ssh key to sign every commit.
Note: The signingKey configuration can also contain a private key if ssh-agent is not in use for using the public key. See: https://git-scm.com/docs/git-config#Documentation/git-config.txt-usersigningKey.
That is everything you need to do. Now you can sign every new commit you make.
If you are using GitHub, your commits will now look something like this:
The benefits of using SSH keys for signing are that you will not need any additional tooling and that nearly everyone is familiar with the procedure on how to use SSH keys. However, we cannot cover all features with this method. For example, we cannot guarantee a web of trust like we can while using GPG keys. In a nutshell, GPG allows your key to be signed by others, creating a decentralized trust network over time. This means that if several trusted people have signed your key, others can more confidently trust that it really belongs to you. In my opinion, this is another valuable step towards ensuring integrity, but signing your git commits in the first place is the foundational move that puts you in control of your identity and builds trust with every line of code you share.
Sources
Web of Trust - https://en.wikipedia.org/wiki/Web_of_trust
Git signingKey - https://git-scm.com/docs/git-config#Documentation/git-config.txt-usersigningKey
GitHub Docs new SSH Key - https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account
GitLab Docs new SSH Key - https://docs.gitlab.com/user/ssh/#add-an-ssh-key-to-your-gitlab-account
BitBucket Docs new SSH Key - https://support.atlassian.com/bitbucket-cloud/docs/use-ssh-keys-to-sign-commits/