January 19, 2024 in sdlc by Jonathan Walker5 minutes
All it takes is five minutes out of your day to get started using signed commits. Why not now? The following article goes over how to sign your commits, how to enforce signed commits, and everything along the way to help you with that journey. Here are some benefits to signing your commits:
While this blog post focuses on GitHub, alternatives will have similar steps assuming they support enforcing/viewing signed commits. See GitLabs article on Signing Commits in GitLab if you leverage GitLab.
These steps go over all that is required to start signing your commits for those who have more important things to do, further more detailed instructions are below.
Note
Be sure to install GPG Suite before starting.
# Pick your key properties and make sure you set the email the same as your git config `git config --get user.email`
gpg --full-generate-key
# grab key id after forward slash `rsa3072/C000AA111111B222`
gpg --list-secret-keys --keyid-format=long
# Insert it replacing the example keyid here
gpg --armor --export C000AA111111B222
# Add your public key to github in settings -> SSH and GPG Keys
git config --global user.signingkey C000AA111111B222
# Sign your first commit
git commit -S -m "first signed commit"
# verify your key and set all future commits to be signed
git config commit.gpgsign true
Step by step guide on how to sign your commits that you should follow and help you navigate the steps along the way.
gpg --full-generate-key
Enter
to accept the default (1) RSA and RSA (default)
Enter
to accept the default What keysize do you want? (3072)
5y
to specify five year length or press Enter
to accept no expirationReal name
git config --get user.email
or else commits will be Unverified
Email address
git config --get user.email
Comment
O
for Okaygpg --list-secret-keys --keyid-format=long
rsa3072/C000AA111111B222
after the /
and below the ---
which in this example is C000AA111111B222
gpg --armor --export C000AA111111B222
Settings
SSH and GPG Keys
New GPG Key
Add GPG Key
git config --global user.signingkey C000AA111111B222
git commit -S -m "first signed commit"
git config commit.gpgsign true
Danger
Enforcing security processes typically take months of preparation and communication. Proceed with caution.
At this time enforcing signed commits is not possible as far as I am aware. See Add option to only allow GPG signed merge requests. The web UI supports viewing signed commit messages. There is a workaround by using a CI job in .gitlab-ci.yml
below.
verify_signed_commits:
script:
- |
NOT_SIGNED=$(git log --pretty="format:%H %G?" $CI_COMMIT_BEFORE_SHA..$CI_COMMIT_SHA | grep ' N')
if [ -n "$NOT_SIGNED" ]; then
echo "The following commits are not signed:"
echo "$NOT_SIGNED"
exit 1
fi
only:
- main
- merge_requests
To enforce this on a single branch within your repository, perform the following. Please note this is a breaking change.
Branches
under code and automationBranch protection rules
click on Add rule
or edit an existing ruleRequire signed commits
You must have GitHub enterprise in order to do so and this can cause commits to break if all contributors do not currently have this configured.
Repository
-> Rulesets
under Code, planning, and automationDuring my research of adoption, using signed commits is not well established at this time. While the feature of signing commits is inherently a part of Git itself, it is not specific to any web-based version control interface. The ability of platforms like GitHub and GitLab to support and enforce signed commits is based on how they integrate this Git feature into their respective web interfaces and additional tooling.
Platform | Supports Commit Signing | Enforce Signed Commits | Notes |
---|---|---|---|
GitHub | Yes | Yes | GitHub allows users to sign commits with GPG or S/MIME and offers branch protection rules to enforce signed commits. |
GitLab | Yes | No (Workarounds exist) | GitLab supports GPG-signed commits, but direct enforcement must be implemented via CI/CD pipelines or server-side hooks. |
Bitbucket | Yes | No | Bitbucket supports GPG-signed commits but does not have a built-in feature to enforce them. |
Azure DevOps | Yes | No | Azure DevOps supports commit signing, but there is no built-in enforcement mechanism. |
AWS CodeCommit | No | No | As of the last update, AWS CodeCommit did not support commit signing. |
SourceForge | Yes | No | SourceForge supports commit signing but does not have a feature to enforce signed commits. |
For further reading and sources.