Ronak Paul's blog

Enhancing Git Security

Enhancing Git Security

A Guide to Signing Your Commits

Ronak Paul's photo
Ronak Paul
·

7 min read

Table of contents

In the world of software development, the Git version control system has become the bedrock of collaboration, enabling teams to work seamlessly on codebases of all sizes. But as we rely on Git to manage our source code, ensuring the security and integrity of our commits has never been more critical.

Imagine this scenario: You're working on a mission-critical project, and the codebase is constantly evolving with contributions from various team members. How can you be sure that the commits in your repository haven't been tampered with? How do you verify that those commits were indeed made by the collaborators they claim to be from? This is where Git commit signing comes into play.

In this comprehensive guide, we will delve into the world of Git commit signing, exploring its significance, how it works, and why it's a best practice that every developer should embrace. Whether you're a seasoned Git user or just getting started, understanding commit signing is a fundamental skill that can bolster the security of your code and the reliability of your development workflow.

Join us on this journey as we uncover the secrets of Git commit signing and empower you to take your Git repositories to the next level of security and trustworthiness. Let's get started!

Signing commits

Signing Git commits is an important security measure to verify the authenticity and integrity of commits in a Git repository. Suppose you are working on a project and you making some changes in the codebase, how a third person can be sure that the changes are done by you and not by anyone else? That's why we use the signing of commits to be sure that the contributor is authenticated.

When we sign a Git commit, we use our GPG (GNU Privacy Guard) key to create a cryptographic signature for the commit. This signature can then be verified by others to ensure that the commit was made by me and hasn't been tampered with.

Requirement and Benefits

  1. Authentication: Signing commits proves that they were made by you and not by someone else pretending to be you. It adds an extra layer of trust to the commit history.

  2. Integrity: The cryptographic signature ensures that the commit has not been altered since it was signed. If someone tries to modify a signed commit, the signature verification will fail.

  3. Non-repudiation: Once a commit is signed, you cannot deny that you made that commit. This is particularly important in open-source projects or collaborative work where accountability matters.

  4. Trust in the commit history: Trust in the Git commit history is crucial, especially in large and collaborative projects. Signed commits make it more difficult for malicious actors to inject malicious code into the repository unnoticed.

Vigilant mode

When we commit in git we sign the commit so that everyone can trust that commit and be confident about the author of the commit. So by enabling vigilant mode, you mark your git commits with one of three verification statutes i.e. someone made a signed commit then in GitHub, the commit will be shown as verified but if it is not verified then the commit will be shown as unverified. And if the vigilant mode is disabled then we can't see that kind of status in our git commits. So it is preferred to enable vigilant mode.

Various verification status

The following are the three verification statuses in GitHub:

  1. Verified: The commit is signed, the signature was successfully verified, and the committer is the only author who has enabled vigilant mode.

  2. Partially Verified: The commit is signed, and the signature was successfully verified, but the commit has an author who: a) is not the committer and b) has enabled vigilant mode. In this case, the commit signature doesn't guarantee the consent of the author, so the commit is only partially verified.

  3. Unverified: Any of the following is true:

    • The commit is signed but the signature could not be verified.

    • The commit is not signed and the committer has enabled vigilant mode.

    • The commit is not signed and the author has enabled vigilant mode.

Enable vigilant mode

The steps to enable vigilant mode are:

  1. In the upper-right corner of any page, click your profile photo, then click Settings.

  2. In the "Access" section of the sidebar, click SSH and GPG keys.

  3. Under "Vigilant mode," select Flag unsigned commits as unverified.

Make your commits signed

To make your commits signed you have to follow the below steps. Basically for signing commits, you require a GPG key or SSH key and a verified email address that is connected to your GitHub account. In this blog, I am only focusing on the GPG key because it is widely used and GitHub itself also recommends it.

Verify your email address

Verification of email address is very necessary because without verifying an email address you can't do anything in GitHub, to be honest. So the steps to verify your email address in GitHub are as follows:

  1. Create a GitHub account.

  2. In the upper-right corner of any page, click your profile photo, then click Settings.

  3. In the "Access" section of the sidebar, click Emails.

  4. Under your email address, click Resend verification email.

  5. GitHub will send you an email with a link in it. After you click that link, you'll be taken to your GitHub dashboard and see a confirmation banner.

Generate a GPG key

  1. Download and install the GPG command line tools for your operating system. We generally recommend installing the latest version for your operating system.

  2. Open Git Bash.

  3. Now we have to generate a GPG Key by executing the below command in Git Bash:

     gpg --full-generate-key

  4. At the prompt, specify the kind of key you want, or press Enter to accept the default.

  5. At the prompt, specify the key size you want, or press Enter to accept the default.

  6. Enter the length of time the key should be valid. Press Enter to specify the default selection, indicating that the key doesn't expire. Unless you require an expiration date, we recommend accepting this default.

  7. Verify that your selections are correct.

  8. Enter your user ID information.

  9. Type a secure passphrase.

  10. Use the below command to list the long form of the GPG keys for which you have both a public and private key. A private key is required for signing commits or tags.

    gpg --list-secret-keys --keyid-format=long

  11. From the list of GPG keys, copy the long form of the GPG key ID you'd like to use. In this example, the GPG key ID is 4AB5C36371587BD2:

    $ gpg --list-secret-keys --keyid-format=long
/Users/codago/.gnupg/secring.gpg
------------------------------------
sec   4096R/4AB5C36371587BD2 2023-03-10 [expires: 2024-03-10]
uid                          Codago <codago@example.com>
ssb   4096R/5BB6D45482678BE3 2023-03-10

  12. Paste the text below, substituting the GPG key ID you'd like to use, this will print the GPG key ID, in ASCII armor format. In this example, the GPG key ID is 4AB5C36371587BD2:

    gpg --armor --export 4AB5C36371587BD2

  13. Copy your GPG key, which is inside of -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

  14. Now go to the next section of this blog which is Adding a GPG key to your GitHub account.

Adding a GPG key

You generated your GPG key from the previous steps and now the final step is to add your GPG key to your GitHub account. You can add multiple keys to your GitHub account and sign the commits with any keys you want but if you delete a key then the commits you made with that key will be displayed as unverified. But if the GPG key expires then your commits still show the verified status stating that your GPG key is expired nothing else.

Now to add the GPG key we have created follow the below steps:

  1. In the upper-right corner of any page, click your profile photo, then click Settings.

  2. In the "Access" section of the sidebar, click SSH and GPG keys.

  3. Next to the "GPG keys" header, click New GPG key.

  4. In the "Title" field, type a name for your GPG key.

  5. In the "Key" field, paste the GPG key we just created in the Generate a GPG key section.

  6. Click the Add GPG key.

  7. To confirm the action, authenticate to your GitHub account.

Sign commits from shell

You set up all the required steps to sign a commit, now you have to know how to sign a commit. To sign a commit you need the following command:

git commit -S -m "Commit message"

Alternatively, you can set the default config of gpgsign to true so that you don't have to specify the flag -S every time you sign a commit. To set the default config of gpgsign to true execute the following command:

git config commit.gpgsign true

So today you learned about signing git commits, the benefits of git commits, how to generate a gpg key and add it to GitHub, how to verify your email and lastly how to sign git commit in the command line.

If you liked the blog then give a ❤ and leave a comment below. Happy coding 🤜

GitHubGitgit commitsign commitsgit security