description = "The relevance and need for trust in the realm of email, using GPG, has been talked about a lot latetly. But how about trust when itcomes to the code your write? Would it be possible to sign your commitswith GPG to generate trust?"
slug = "gpg-sign-your-git-commits"
+++
I have [written][1] and [talked][2] before about GPG and the need for trust on the internet.
Getting started with GPG and using it on a daily basis is, when you're using the right tools, not all that hard, but still quite technical. Today [Google announced][3] they are working on a Chrome extention to enable end-to-end encryption using OpenPGP.
As a developer, I do more than dispatching emails all day. On occasion I write code. And that code gets committed to a repository that will remember that commit forever.
Just as with emails it is remarkably easy to fake your identity when committing code.
In theory, this would allow anyone to commit (malicious) code under your name. Meaning that _you_'ll get the blame for the back door _you_ committed.
Git seems to offer a resolution by adding a `Signed-off-by` field, to allow a second developer to sign off on code that gets merged into the project. But this field suffers from the same trust issues as the `Author` field.
**You cannot trust the git Author and Signed-off-by fields.**
Again, GPG offers a solution to the problem of trust. By establishing trust based on public keys, wouldn't it be cool if you could sign a git commit just the same way you'd sign an email?
This will attach your signature to the git commit message, allowing others to validate your signature. Validating this signature is quite easy as well.
Any other developer (or your CI) can now validate your commit as coming from you, based on the trust they assigned to your public key.
Optionally to using `--gpg-sign` you can use `-S`. If you don't specify a specific key, git will try to figure out what key to use based on your email address. It's also possible to set a default signing key globally.
Besides signing every commit you make, it's also good idea to sign tags. That way you can be sure that the created tag was actually created by a trusted person.
If you are responsible for integrating features and bug fixes into the main branch of a project, you'd probably like to sign the merges you make. You have two options here.
The first is to merge and manually commit a sign the merge.
Be sure to check out [this in depth guide by Mike Gerwitz][4].
## Where to go from here?
Trust is a hard thing to come by on the internet and it really bites you when things go wrong. Just as with email, creating a web of trust can be helpful and someday save you from disaster.