Add gpg sign git commits

This commit is contained in:
Ariejan de Vroom 2014-06-11 07:55:16 +02:00
parent 347fb494fa
commit 1538fc476c

View File

@ -0,0 +1,109 @@
---
title: "GPG Sign Your Git Commits"
created_at: 2014-06-04
kind: article
published: true
tags:
- gpg
- gnupg
- security
- git
summary: |
The relevance and need for trust in the realm of email, using GPG,
has been talked about a lot latetly. But how about trust when it
comes to the code your write? Would it be possible to sign your commits
with GPG to generate trust?
---
I have [written][1] and [talked][2] before about GPG and the need for trust on the internet.
Getting started with GPG and using it on a daily basis is, when you're using the right tools, not all that hard, but still quite technical. Today [Google announced][3] they are working on a Chrome extention to enable end-to-end encryption using OpenPGP.
As a developer, I do more than dispatching emails all day. On occasion I write code. And that code gets committed to a repository that will remember that commit forever.
Just as with emails it is remarkably easy to fake your identity when committing code.
```
:::bash
git commit -a -m "Meh" --author "Chuck Norris <chuck@example.com>"
```
In theory, this would allow anyone to commit (malicious) code under your name. Meaning that _you_'ll get the blame for the back door _you_ committed.
Git seems to offer a resolution by adding a `Signed-off-by` field, to allow a second developer to sign off on code that gets merged into the project. But this field suffers from the same trust issues as the `Author` field.
**You cannot trust the git Author and Signed-off-by fields.**
Again, GPG offers a solution to the problem of trust. By establishing trust based on public keys, wouldn't it be cool if you could sign a git commit just the same way you'd sign an email?
Well, you can.
## Signing commits
```
:::bash
git commit -a -m "Cool new feature" --gpg-sign=F713697B
```
This will attach your signature to the git commit message, allowing others to validate your signature. Validating this signature is quite easy as well.
```
:::bash
git log --show-signature
```
```
commit 3d53a4be3f6f955007dc056347d926067bbfa8de
gpg: Signature made zo 1 jun 20:42:58 2014 CEST using RSA key ID F713697B
gpg: Good signature from "Ariejan de Vroom <ariejan@ariejan.net>"
Author: Ariejan de Vroom <ariejan@ariejan.net>
Date: Sun Jun 1 20:42:58 2014 +0200
```
Any other developer (or your CI) can now validate your commit as coming from you, based on the trust they assigned to your public key.
Optionally to using `--gpg-sign` you can use `-S`. If you don't specify a specific key, git will try to figure out what key to use based on your email address. It's also possible to set a default signing key globally.
```
:::bash
git config --global user.signingkey F713697B
```
## Signing tags
Besides signing every commit you make, it's also good idea to sign tags. That way you can be sure that the created tag was actually created by a trusted person.
```
:::bash
git tag -s 1.2.3 -m "Release 1.2.3 including bug fixes."
```
## Signing merges
If you are responsible for integrating features and bug fixes into the main branch of a project, you'd probably like to sign the merges you make. You have two options here.
The first is to merge and manually commit a sign the merge.
```
:::bash
git merge feature-awesome --no-commit
git commit -m "Merge feature-awesome" -S
```
The second is merging and signing directly.
```
:::bash
git merge feature-awesome -S
```
Be sure to check out [this in depth guide by Mike Gerwitz][4].
## Where to go from here?
Trust is a hard thing to come by on the internet and it really bites you when things go wrong. Just as with email, creating a web of trust can be helpful and someday save you from disaster.
[1]: https://ariejan.net/2014/04/03/pretty-difficult-privacy/
[2]: https://ariejan.net/talks/
[3]: http://googleonlinesecurity.blogspot.nl/2014/06/making-end-to-end-encryption-easier-to.html
[4]: http://mikegerwitz.com/papers/git-horror-story