Anyone can make a Git commit using any name and any email address. What prevents someone from using my name and my email to contribute a malicious commit, or even simply a commit no representative of me?
By default, nothing.
Git does, however, support signing commits and tags using a GPG key pair. Doing so verifies that the commit was created by the owner of that key: you. Furthermore, after sharing your public key with Github, your signed commits are marked as
[verified] for everyone to see. At that point, any commit made by “you” which is unsigned should be considered untrusted.
Assuming you have a GPG key pair generated already (if not, see here), you can begin signing all of your commits with one Git setting change:
$ git config --global commit.gpgsign true
Each time you commit now, you’ll be prompted for your GPG password. To be prompted in the current terminal, as opposed to in a GUI popup, there’s one more setting you should change, this time for GPG directly. In your
~/.bashrc (or similar), add the following:
# Always prompt for GPG password from terminal export GPG_TTY=$(tty)
When you commit, you’ll be prompted with a TUI along the lines of:
┌────────────────────────────────────────────────────┐ │ Please enter the passphrase to unlock the secret │ │ key for the OpenPGP certificate: │ │ "Jeaye <firstname.lastname@example.org>" │ │ 2048-bit RSA key, ID 6C61E510, │ │ created 2016-01-13. │ │ │ │ │ │ Passphrase *********************__________________ │ │ │ │ <OK> <Cancel> │ └────────────────────────────────────────────────────┘
If you’d like to manually specifiy which key is used when signing, you can do so with the following:
# Replace FFFFFFFF with your key id git config --global user.signingkey FFFFFFFF
Note that this isn’t typically needed, as your default key will be chosen by git automatically.
Some people think it’s only important to sign tags to mark releases or specific points at which everything has been verified. Arguably, every single commit should be signed. You’re held responsible for every change you push to every repository; someone misrepresenting you can be done with a simple config change if you’re not habitually signing commits.
This is why I’ve provided the config to enable signing by default and I encourage any individual or team to do the same. For a more illustrative explanation of this, see here.