nunogrl.com - authenticationhttps://nunogrl.com/2024-03-21T00:00:00+00:00Enforcing GPG-Signed Commits in Git2024-03-21T00:00:00+00:002024-03-21T00:00:00+00:00Nuno Leitaotag:nunogrl.com,2024-03-21:/articles/enforcing-gpg-signed-commits-git/<p class="first last">Learn how to enforce GPG-signed commits in Git to prevent commit impersonation and ensure code authenticity</p>
<div class="section" id="problem-solution">
<h2>🚀 Problem & Solution</h2>
<div class="section" id="context-backstory">
<h3>📌 <strong>Context / Backstory</strong></h3>
<p>In our collaborative development environment, we discovered that Git's flexibility allows commits under any name and email. This became a security concern when we realized that GitHub identifies users by email, not SSH keys.</p>
<div class="mermaid" id="mermaid-diagram-1842184663821928552">
sequenceDiagram
participant Alice
participant Bob
participant GitHub
Alice->>GitHub: Commit signed with alice@example.com (GPG signed)
GitHub->>GitHub: Shows "Verified" commit from Alice
Bob->>GitHub: Commit using alice@example.com (no signature)
GitHub->>GitHub: Shows commit as from "Alice" (Unverified)
Note over GitHub: GitHub matches commits by email, not by SSH or true identity.</div></div>
<div class="section" id="the-problem">
<h3>⚠️ <strong>The Problem</strong></h3>
<ul class="simple">
<li>Anyone with repository access can spoof another contributor's identity</li>
<li>Commit history could be manipulated without detection</li>
<li>No cryptographic proof of commit authenticity</li>
<li>GitHub's user identification relies solely on email addresses</li>
</ul>
</div>
<div class="section" id="the-solution">
<h3>💡 <strong>The Solution</strong></h3>
<p>We implemented mandatory GPG-signed commits, which:</p>
<ul class="simple">
<li>Cryptographically verify commit authenticity</li>
<li>Prevent identity spoofing</li>
<li>Create traceable commit history</li>
<li>Integrate with GitHub's verification system</li>
</ul>
</div>
<div class="section" id="who-this-helps">
<h3>👥 <strong>Who This Helps</strong></h3>
<ul class="simple">
<li>Security-conscious development teams</li>
<li>Open-source project maintainers</li>
<li>Regulated environments requiring audit trails</li>
<li>Organizations needing verified commit history</li>
</ul>
</div>
</div>
<div class="section" id="technical-implementation">
<h2>⚙️ Technical Implementation</h2>
<p>Let's visualize the GPG signing workflow:</p>
<div class="mermaid" id="mermaid-diagram--3822165489569652770">
flowchart LR
C[Commit] -->|Sign| G[GPG Key]
G -->|Verify| GH[GitHub]
subgraph "Local System"
C
G
end
subgraph "Remote"
GH
end
style GH fill:#f96,stroke:#333
style G fill:#9f6,stroke:#333</div><div class="section" id="setting-up-gpg-keys">
<h3>1️⃣ Setting Up GPG Keys</h3>
<div class="highlight"><pre><span></span><span class="c1"># Generate a new GPG key</span>
gpg<span class="w"> </span>--full-generate-key
<span class="c1"># List your keys</span>
gpg<span class="w"> </span>--list-secret-keys<span class="w"> </span>--keyid-format<span class="o">=</span>long
</pre></div>
</div>
<div class="section" id="configuring-git">
<h3>2️⃣ Configuring Git</h3>
<div class="highlight"><pre><span></span><span class="gp"># </span>Configure<span class="w"> </span>Git<span class="w"> </span>to<span class="w"> </span>use<span class="w"> </span>your<span class="w"> </span>GPG<span class="w"> </span>key
<span class="gp">$ </span>git<span class="w"> </span>config<span class="w"> </span>--global<span class="w"> </span>user.signingkey<span class="w"> </span><YOUR_KEY_ID>
<span class="gp">$ </span>git<span class="w"> </span>config<span class="w"> </span>--global<span class="w"> </span>commit.gpgsign<span class="w"> </span><span class="nb">true</span>
<span class="gp">$ </span>git<span class="w"> </span>config<span class="w"> </span>--global<span class="w"> </span>gpg.program<span class="w"> </span>gpg
</pre></div>
</div>
<div class="section" id="github-integration">
<h3>3️⃣ GitHub Integration</h3>
<ol class="arabic simple">
<li>Export your public GPG key:</li>
</ol>
<div class="highlight"><pre><span></span><span class="gp">$ </span>gpg<span class="w"> </span>--armor<span class="w"> </span>--export<span class="w"> </span><YOUR_KEY_ID>
</pre></div>
<ol class="arabic simple" start="2">
<li>Add the key to your GitHub account settings</li>
</ol>
</div>
<div class="section" id="enforcing-signed-commits">
<h3>4️⃣ Enforcing Signed Commits</h3>
<p>In GitHub repository settings:</p>
<ol class="arabic simple">
<li>Navigate to Settings > Branches</li>
<li>Add branch protection rule</li>
<li>Enable "Require signed commits"</li>
</ol>
</div>
</div>
<div class="section" id="troubleshooting-debugging">
<h2>🛠️ Troubleshooting & Debugging</h2>
<ul class="simple">
<li><strong>GPG signing fails</strong>: Check <cite>gpg-agent</cite> configuration</li>
<li><strong>GitHub doesn't show "Verified"</strong>: Ensure GPG key is added to GitHub</li>
<li><strong>CI/CD issues</strong>: Set up proper <cite>GNUPGHOME</cite> environment</li>
<li><strong>Smart card/YubiKey</strong>: Verify proper card reader access</li>
</ul>
</div>
<div class="section" id="optimizations-best-practices">
<h2>🔁 Optimizations & Best Practices</h2>
<ul class="simple">
<li>Use GPG subkeys instead of master keys</li>
<li>Implement regular key rotation</li>
<li>Set up separate signing keys for different contexts</li>
<li>Use environment isolation in CI/CD pipelines</li>
<li>Consider hardware security keys (YubiKey) for key storage</li>
</ul>
</div>
<div class="section" id="conclusion-takeaways">
<h2>✅ Conclusion & Takeaways</h2>
<p>GPG-signed commits provide a robust security layer for Git workflows, ensuring:
- Verified commit authenticity
- Protected repository history
- Clear accountability
- Compliance with security best practices</p>
</div>
<div class="section" id="comments-next-steps">
<h2>💬 Comments & Next Steps</h2>
<p>How do you handle commit verification in your organization? Share your experience or ask questions below!</p>
</div>