Automatically Signing Your Git Commits
Tags: beards, computer-science, security.
I thought I’d join in by describing how you can automatically sign all of your git commits with your GPG key.
Signing your git commits is good practice. It unambiguously identifies you as the author of a commit. It’s not difficult to forge an email address on a commit, but forging a GPG signature is effectively impossible. If you’re looking for more motivation to sign your commits, try reading this horror story.
I’m going to assume that you’ve already got a GPG key set up and working; see Caleb’s blog post above if you don’t.
First, determine your key’s ID:
$ gpg --list-secret-keys /Users/hrs/.gnupg/secring.gpg ----------------------------- sec 4096R/25AE721B 2014-01-30 uid Harry R. Schwartz <firstname.lastname@example.org> uid Harry R. Schwartz <email@example.com> ssb 4096R/49D82DA6 2014-01-30
Your ID is on the
sec line: mine is
Next, tell git which key to use by setting
signingkey in your
Here’s an excerpt from my config:
[user] name = Harry Schwartz email = firstname.lastname@example.org signingkey = 25AE721B
You can now sign your commits! As of version 1.7.9,
git commit accepts the
-S option to attach a signature to your commits. So, for example:
$ git commit -S -m "My fancy signed commit"
This prompts me for my GPG passphrase and commits my code with a signature.
git log doesn’t display signatures by default, but you can force it to with
$ git log --show-signature commit 949a3dc31152fd3bfa83355d48d3078b55f0b11c gpg: Signature made Sat Nov 1 18:07:44 2014 EDT using RSA key ID 25AE721B gpg: Good signature from "Harry R. Schwartz <email@example.com>" gpg: aka "Harry R. Schwartz <firstname.lastname@example.org>" Author: Harry Schwartz <email@example.com> Date: Sat Nov 1 18:07:44 2014 -0400 My fancy signed commit
Cool! But this is still a little unstable, since now you need to remember to add
-S option every time you commit. That’s unlikely to happen.
There are two solutions to this problem. Prior to git 2.0, you’d have to add
aliases to your
.gitconfig… something like:
[alias] amend = commit -S --amend cm = commit -S -m commit = commit -S
However, since git 2.0, that’s now unnecessary! Instead, you can configure the
commit command works by adding the following snippet to your
[commit] gpgsign = true
Boom, problem solved. All my commits are now signed. Nice!
To see exactly which changes I made, check the commit to my dotfiles.
You might like these related articles: