Git Verified Commits

Verified or Signed commits act as a source of trust in open-source development. It’s a way for people to know that the code came from a trusted source. Popular git hosting providers like GitHub, Bitbucket and GitLab have signed commits built into their interface so people can easily verify the authenticity of the repo. Here’s an example of how it looks on GitHub:

Add a GPG key to your account

You can use GPG to sign commits with your GPG key. For more information on GPG, go here.

For the sake of this article, we will be dealing with verified commits on GitHub. We will also assume that you have a GPG key.

GitHub uses OpenPGP libraries to confirm that your locally signed commits and tags are cryptographically verifiable against a public key that you have added to your GitHub account.

Tell Git to use your GPG key

After adding the public GPG key to your GitHub account, you need to tell git on your machine to use that key to sign commits. But first, let’s get a list of keys on your account using:

$ gpg --list-secret-keys --keyid-format LONG

/home/kunal/.gnupg/pubring.kbx
------------------------------
sec   rsa4096/ABD83AC02AAC0953 2019-07-31 [SC] [expires: 2035-07-27]
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
uid                 [ unknown] Kunal Nagar <knlnagar@gmail.com>
ssb   rsa4096/xxxxxxxxxxxxxxxx 2019-07-31 [E] [expires: 2035-07-27]

In the above example, my public key is ABD83AC02AAC0953 and we’ll use that:

$ git config --global user.signingkey ABD83AC02AAC0953

Signing your commit

When you’re ready to commit your work, just add the -S flag to your commit command:

$ git commit -m -S "Testing signed commits"

If your key has a passphrase, you’ll be asked to enter it now.

That’s it! Push your commit and you can see the verified commit on your git hosting provider.

References