Signed Commit

From Lingoport Wiki
Jump to navigation Jump to search

Introduction

Signed commits are a Git feature that lets contributors cryptographically verify their identity when making a commit, proving that a commit genuinely came from who it claims to come from.

The Problem They Solve

Git allows anyone to set any name and email address in their local configuration. Without signing, nothing stops a bad actor from impersonating another developer by simply setting user.name and user.email to someone else's values. Signed commits close this gap.

How They Work

A contributor generates a cryptographic key pair — most commonly using GPG (GNU Privacy Guard), though SSH keys and S/MIME certificates are also supported. The private key stays secret on the contributor's machine; the public key is uploaded to their account on platforms like GitHub or GitLab. When a commit is made with signing enabled, Git uses the private key to generate a cryptographic signature and attaches it to the commit object. Anyone with the public key can then verify that signature, confirming:

  • Authenticity — the commit was made by whoever owns that private key
  • Integrity — the commit contents have not been tampered with since it was signed

What It Looks Like in Practice

Platforms like GitHub display a "Verified" badge next to signed commits. Unsigned or unverifiable commits show as "Unverified." Repositories can also enforce a branch protection rule requiring all commits to be signed before they can be merged, ensuring a full chain of verified authorship on critical branches. Common Use Cases

Open source projects that accept contributions from strangers and need to trust the commit history Security-sensitive codebases where auditability of who changed what is critical Regulated environments (finance, healthcare, government) with compliance requirements around code provenance Supply chain security — preventing compromised or spoofed commits from introducing malicious code

Basic Setup (GPG)

bash# Generate a GPG key
gpg --full-generate-key

# Tell Git which key to use
git config --global user.signingkey <KEY_ID>

# Sign commits automatically
git config --global commit.gpgsign true

# Or sign a single commit manually
git commit -S -m "your message"

# Verify a commit's signature
git verify-commit <commit-hash>

Key Concepts Summary

TermMeaningGPG/PGP keyThe most common key format used for signingVerified badgePlatform confirmation that the signature checks outVigilant modeA GitHub setting that marks all unsigned commits as unverifiedKeyserverA public directory where you can publish your public key Signed commits are a foundational practice in modern software supply chain security, and are increasingly expected in professional and open source workflows.

Retrieved from "https://wiki.lingoport.com/index.php?title=Signed_Commit&oldid=99828"