The Ops Community

Cover image for Sign your code
Axel Navarro
Axel Navarro

Posted on • Originally published at dev.to

Sign your code

Did you know you can sign your code in Git using a GPG key? A lot of programmers don't know they can sign their Git commits using a signature created by themselves.

Introduction

You can use any name or email when you create a Git commit, but you can't sign a commit with a GPG key that doesn't belong to you.

What is GPG?

The GNU Privacy Guard is an implementation of the OpenPGP standard and allows you to encrypt and sign your data and communications.

This is fully integrated with Git and you can automatically sign your code with it.

You can create a GPG key following this guide in GitHub. Remember that you should register it in GitHub, or GitLab.

Should I sign every commit?

There is a discussion about this, because Linus Torvalds says that when you're signing a Git tag 🏷️, you're validating all the commits in the release, signed or not. If you automatically sign every commit in the repository, the source of the signature loses its sense.

Signed tag by a Node.js' member on GitHub

On the other hand, some Linux distros, like Arch Linux, uses Arch User (Git) Repositories made by users to build non-official supported packages. I mean, if you're compiling and installing a package via another user's instructions maybe you like the idea of the authors signing their work. ⚠️

A signed commit to build the WebStorm EAP package in Arch Linux-based operating systems

I personally like the idea of signing my open source contributions, because that's a proof of my work. Anyway, if you use GitHub to squash your commits before merging a pull request, GitHub replaces all your commits, signed or not, by a commit made by itself and signed with the GitHub GPG key. The same happens when you create code releases via the GitHub web interface.

Signed commits in GitHub with a partially signed commit

How to sign a Git commit?

First, get your key ID and copy it.

gpg --list-secret-keys --keyid-format=long
Enter fullscreen mode Exit fullscreen mode

Then, tell Git your GPG key.

git config --global user.signingkey 3AA5C34371567BD2
Enter fullscreen mode Exit fullscreen mode

Now, you can sign using the -S argument

git commit -S -am <your_commit_message>
Enter fullscreen mode Exit fullscreen mode

and it's done! πŸš€

πŸ’‘ To sign every commit automatically you can use the following configuration without needing the -S flag:

git config --global commit.gpgsign true
Enter fullscreen mode Exit fullscreen mode

How to sign a Git tag?

When you create a tag locally you should add the --sign argument.

git tag --sign <tag_name>
Enter fullscreen mode Exit fullscreen mode

Also, you can turn on this using the following Git configuration setting:

git config --global tag.gpgsign true
Enter fullscreen mode Exit fullscreen mode

πŸ’‘ If you only want to apply this for the repository in the current directory, remove the --global argument.

Conclusion

If you work in the open source world it's a really good practice to sign your releases using a GPG key. If your work is consumed from a branch instead of a Git tag, perhaps you should sign every commit.

And, if you work in a closed source repository, you can add a rule in your CI/CD tools to only allow releases with specific GPG keys.

Discussion (0)