In git, whenever you want to add a change to a repository, a new commit is created in the repository history.

Besides the actual changes in the repository, every commit includes several metadata fields, some of them pointing to both the author and the committer:

  • Author: the person who wrote the code.
  • Committer: the person who added the code to the repository.
    Author:     juandebravo <juandebravo@gmail.com>
    AuthorDate: Wed Nov 21 22:41:04 2018 +0100
    Commit:     juandebravo <juandebravo@gmail.com>
    CommitDate: Wed Nov 21 22:41:04 2018 +0100

99% of the times, both author and committer points to the same person; only in distributed teams working in a flow that requires both git format-patch and git apply may happen that author and committer are different (e.g. someone providing a new functionality or bug fix, the author, but not having write permissions in the repository and therefore another person, the committer, would write the commit on his/her behalf).

Both fields are configurable locally, and there’s no way you can ensure a commit uploaded to a repository hosted in a SaaS product like Github or Gitlab was authored or committed by the person defined in Author and Committer fields… unless you enter commit signature verification.

Git provides a mechanism to sign your work with a GPG key.

Working on my macOS High Sierra, these are the steps I followed to get my commits signed:

Install git and gnupg

brew install git gnupg gpg-agent pinentry-mac
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf

Generate a GPG key

gpg --gen-key

Important: include the email and user name you’d like to use while signing your commits.

Obtain the GPG key id of the key you just generated

You will need this number in the following step.

gpg --list-secret-keys --keyid-format LONG

Configure username, email and GPG in git

git config --global user.name <your-user-name>
git config --global user.email <your-email>
git config --global gpg.program gpg
git config --global commit.gpgsign true
git config --global user.signingkey <your-gpg-key-id>

Restart GPG agent

gpgconf --kill gpg-agent

Github

Once you start signing your commits, you can let the world know commits pointing to your username in GitHub were indeed committed by you (or at least by someone with access to your GPG private key!).

First of all, export the public key to ASCII armor format:

gpg --armor --export GPG <your-gpg-key-id>

Second step is uploading the public key using your GitHub key settings page:

  1. Click on New GPG key
  2. Add the GPG public key ASCII representation
  3. Click on Add GPG key

Since now on, your commits will be labeled with [Verified] in GitHub repository history page

Sign git commit

« Home