Code signing in git
Last updated: 2017-03-24
Once you create a PGP keypair, you can use it to sign your code in git.
First, you need to configure git to use
gpg2 for signing.
$ git config --global gpg.program gpg2
You can also specify which PGP key should be used for signing in this particular repository.
$ git config user.signingkey $KEY_ID
You can manually sign commits with the
-S flag. For example:
$ git commit -S $ git commit --amend -S $ git rebase -S
However, it’s much more convenient to configure git to use PGP signing by default. This only works for Git 2.0.0 and above.
$ git config --global commit.gpgsign true
When creating tags, you can use
-s flag to sign it.
$ git tag -s release-x-y
If you’re signing code often, you can configure GPG agent to avoid re-entering your passphrase all the time.
Signatures in git are not displayed by default. You can manually view and verify commit signatures using the
$ git log --show-signature $ git show --show-signature
Signed commits will have gpg information attached.
commit 3053f3735a54337da858b519b7f2a05ec9d44c35 gpg: Signature made Sat 11 Mar 2017 10:29:37 AM CET gpg: using RSA key 0xFA4A7FE8A9586F79 gpg: Good signature from "Tomas Krizek <email@example.com>" [ultimate] Author: Tomas Krizek <firstname.lastname@example.org>
If you’re viewing signatures often, you might want to set up an alias.
$ git config --global alias.l "log --show-signature"
You can verify a tag’s signature with:
$ git verify-tag release-x-y
And check if the tag is signed with a trusted and valid key.
gpg: Signature made Fri 24 Mar 2017 10:06:09 AM CET gpg: using RSA key 0x22A2A94B5E49415A gpg: Good signature from "Tomas Krizek <email@example.com>" [ultimate]
Uploading you public key to GitHub
If you upload your public key to GitHub, you’ll get
Verified flag next to your signed commits and tags in GitHub’s web interface.
You need to get your public key in ASCII-armored format.
$ gpg2 --armor --export $KEY_ID
Go to your GitHub account settings and add you public key in the
SSH and GPG keys menu.
Code signing in community projects
When you submit a pull request or a patch to a community project, it’s up to the project maintainers how to handle your signature. If they care about code signing, they have a couple of options.
- A commit can be accepted exactly as is, including your signature.
- One of the project’s maintainers signs the commit instead.
The second approach is the only option if the maintainers decide to modify your commit in any way (rebase, change the commit message, …). By signing the commit themselves, they certify that the code has gone through the approval process the project has in place (code reviews, sanity checks, …).
When code is distributed in a tarball, you can sign the file and distribute the signature with it.
$ gpg2 --armor --detach-sign project.tar.gz
This will create a detached armored signature file
project.tar.gz.asc. You can verify the signature.
$ gpg2 --verify project.tar.gz.asc