profile picture

Verified git commits

Boosting trust and security in your codebase

November 17, 2024 - 542 words - 3 mins Found a typo? Edit me
software open-source git

blog-cover

When it comes to software development, trust and security are very important. One easy way to level up both is by using verified commits.

Whether you’re working on an open-source project or in a private company, verified commits can make sure your contributions are legit. Let’s break down what they are, why they’re important, and how to start using them.

What are verified commits?

A verified commit is basically a Git commit that is signed by the author using a digital signature. This signature proves that the commit actually came from the person who says they made it. Tools like GPG (GNU Privacy Guard) let you attach this signature to your commits.

If you’re using platforms like GitHub, you’ll notice a little “Verified” badge next to commits that are signed properly. It’s a quick way to show that the commit is authentic.

blog-cover

Why Are They Important?

Signed commits help keep your contributions authentic and trustworthy. By adding a cryptographic signature to your commits, you prove that the changes came from you. This is especially important in collaborative environments, where maintaining trust and accountability is key.

Without signed commits, anyone could fake a commit using someone else’s email. For example, they could use your email, and platforms like GitHub would link it to your profile, making it look like you made the changes —even if you didn’t… not good!

blog-cover

blog-cover

By signing your commits, you show that the work is genuinely yours. It stops impersonation, builds trust in what you’ve done, and keeps everything transparent and accountable.

Note: For this demo, I used a public email address belonging to Linus Torvalds. After pushing the commit to this repository, GitHub recognized the email and linked it to his profile. This impersonation is purely for demo purposes to highlight potential risks. Always use your own email for commits.


How to get started with verified commits

Set up a GPG key

First, you’ll need a GPG key to start signing commits. Here’s how:

Generate a GPG key:

gpg --full-generate-key

Find your key ID:

gpg --list-secret-keys --keyid-format=long

Tell Git to use your key:

git config --global user.signingkey <your-key-id>

Make signing commits the default:

git config --global commit.gpgsign true

Add your key to GitHub/GitLab

Export your public key:

gpg --armor --export <your-key-id>

Navigate to “Settings > SSH and GPG keys,” and paste your key.

blog-cover

Start signing commits

From now on, Git will automatically sign your commits.

If you want to sign a commit manually, just use the -S flag:

git commit -S -m "Your commit message"

You can verify the commit signature with:

git log --show-signature

And also when clicking on the “Verified” badge on GitHub directly.

blog-cover

Verified commits might seem like a small step, but they make your code more trustworthy. It’s an easy way to add an extra layer of protection to your work—and it’s worth it. Give it a try!


Extra: Full setup in Spanish 🇪🇸