✅ Verifying Your Github Commits

March 4, 2018

In this day and age computer security has never been more important. Open source software powers much of the world’s computing infrastructure and as such, we are dependent on the integrity of this software from a security point of view. Code is merged into open source repositories in a structural and intentional manner. However, it’s theoretically possible for a user to masquerade as another simply by changing their Git username and name. Another attack vector could simply be to obtain physical or remote access to a computer with commit access to a popular repository.

Fortunately, there’s an additional layer of security that we can add with relatively little effort on the developer’s part - signing your commits with a GPG key. Git commits that have been signed allow us to be sure that the commit can only have come from a trusted source. In order to sign commits with your key you will need to enter the passphrase - and this additional step can protect a repository even if a user’s account has been compromised.

GitHub natively supports GPG the verification of signed commits. By following some simple instructions you can add a GPG key to your account and have your commits verified by GitHub as originating from you. This can help increase the security of your repository and reduce the likelihood of malicious code being introduced.

Verified Commits

Let’s create your GPG key and get started! Be sure to enter your correct details in each prompt, making sure to match your GitHub email address. It’s also important to choose a decent passphrase as this is really your final line of security in the event that your machine is compromised, physically or otherwise.

brew install gpg
gpg --full-generate-key
gpg --list-secret-keys --keyid-format LONG

The next step is to export your public key which we can then add to your GitHub account. Find the long hexadecimal string that looks like the one in the screenshot. Note that the string will be different to mine.

Export Your Key

Follow these instructions to import the public key into your GitHub account. GitHub can then use this to verify any commits that are signed by your private key.

So how do we tell Git to sign your commits? I’ve been using an app called pinentry-mac which puts up a GUI prompting you for you for the passphrase you chose earlier everytime you create a commit.

brew install pinentry-mac
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
killall gpg-agent

Next we just need to update your Git config to sign each commit:

git config --global gpg.program gpg
git config --global commit.gpgsign true

Time to write some code! Write some code and then commit as you normally would (this also works with the GitHub Desktop client):

git commit -a

You should then see a prompt to enter your passphrase:

pinentry-mac

Congratulations! Your commit has now been signed and will be verified by GitHub when you push the commit to your repository. Other developers on a project will be able to see that your commits have come from a trusted source.

It’s up to the maintainers of a repository to agree on a policy that commits should be signed. There’s an interesting discussion on the NodeJS repository about whether or not all commits should be signed - I’ll leave that as a further exercise for the reader 🙂

comments powered by Disqus