Sign your git commits!

Hey did you know that anyone can upload a commit to GitHub with your name and email? Look, I'm Linus Torvalds:

definitely Linus Torvalds, look it's got his picture and everything

When you make a git commit, git pulls your name and email from your git configuration, and writes it into the git database. GitHub uses that data to look up a GitHub user based on the email, and shows the commit as coming from that author. But wait, what's this?

The commit is showing up as "Unverified"! Okay, phew, maybe GitHub doesn't have a huge security hole.

Except it kind of does! Because unless you've turned this on in your settings:

anyone can create commits on GitHub that look like they were written by you!


But ugh, who wants to deal with GPG

Nobody.

But you don't have to! Since Git 2.34.0 (released Nov 2021), you can sign commits using the same SSH key you use to push commits to GitHub. And it's super easy to set up. Here, I'll walk you through it.

First, make sure your version of Git is newer than 2.34.0:

$ git --version
git version 2.38.0

Then, tell Git you want to sign your commits with your SSH key:

$ git config --global gpg.format ssh
$ git config --global commit.gpgSign true
$ git config --global tag.gpgSign true

If you have more than one SSH key on your machine, you should also tell Git which one to use (by default it will use the first one listed in ssh-add -L):

$ git config --global user.signingKey ~/.ssh/github_key.pub

And lastly, let GitHub know which key(s) you are going to be using to sign your commits. Go to your key settings, click "New SSH Key", and be sure to select "Signing Key" as the key type.

And that's all! Now all your commits will show up with the little "Verified" badge on GitHub.


One more step you might want to take is to turn on Vigilant Mode. That will make GitHub's UI show commits that have your email, but haven't been signed by one of your keys, as "Unverified". That serves as an extra warning to anyone who might come across a pretender trying to pass their code off as yours that something is afoot. It does have the downside that all the commits you made before you started signing your commits will also show as "Unverified". Such is the price of progress!

Show Comments