Skip to main content

Signing Git commits

It is easy to impersonate others by changing --author of Git commits. Signing commits is a good way to ensure the integrity of the commit author, making Git a reliable source for code audit trails. As we are heavily relying on GitOps at Gjensidige, this factor becomes more important than ever. Signing your Git commits is a low-effort action everyone can do to increase the overall security in our Supply Chain 🔐

Prerequisites

The following prerequisites are only valid if you are signing commits with SSH keys. We recommend commit signing with SSH keys as it is easy to set up.

  • An up-to-date git version, preferable 2.49.0 or later. Check version by running git --version.
  • An up-to-date OpenSSH version, preferable 9 or later. Check version by running ssh -V.
  • Elevated privileges on your computer.

HowTo: SSH Key Signing

Follow the steps on the official GitHub documentation

HowTo: GPG Key Signing

Alternatively, if you feel comfortable, you can look into using GPG. Follow the steps on the official GitHub documentation

Known pitfalls

  • Local .gitconfig is conflicting with the global .gitconfig. There is a local git config file in each repository in addition to the global one. You should make sure that config in your local git config is not in conflict with the global config. To check, open your terminal and navigate to the repository you want to commit to. The run git config --list to see the local config and git config --list --global to see the global config. The local config should have inherited properties gpg.format, user.signingkey and commit.gpgsign
  • You have not added your @gjensidige.xx email address to your GitHub profile. Add it by following this guide
  • On Mac, if you have installed OpenSSH manually (not using the native OSX version), you will get errors storing keys in Key Chain. If running ssh -V and /usr/bin/ssh -V yield different results, you should use the following commands when following the steps in this guide:
    • /usr/bin/ssh
    • /usr/bin/ssh-keygen
    • /usr/bin/ssh-agent
    • /usr/bin/ssh-add
  • When you add your SSH key to your Github profile, this needs to be marked Signing Key in a Key Type dropdown. If you are reusing (not recommended!) the SSH key you already used for authentication, you also need to add it as an additional signing key.