Skip to main content

Signing Git commits

It is easy to impersonate others by changing --author of Git commits. Signing commits is a good way to ensure the integrity of the commit author, making Git a reliable source for code audit trails. As we are heavily relying on GitOps at Gjensidige, this factor becomes more important than ever. Signing your Git commits is a low-effort action everyone can do to increase the overall security in our Supply Chain 🔐

The guides on this page are mostly copied from the official GitHub docs and are created mainly for your convenience. All guides are tested on Gjensidige laptops with different variations.

Prerequisites

The following prerequisites are only valid if you are signing commits with SSH keys. All guides on this page use commit signing with SSH keys.

  • Git version 2.34 or later. Check version by running git --version
  • OpenSSH with a version other than 8.7 as ssh-keygen is broken in that version. Check version by running ssh -V
  • Elevated privileges in machine.

Known pitfalls

  • Local .gitconfig is conflicting with the global .gitconfig. There is a local git config file in each repository in addition to the global one. You should make sure that config in your local git config is not in conflict with the global config. To check, open your terminal and navigate to the repository you want to commit to. The run git config --list to see the local config and git config --list --global to see the global config. The local config should have inherited properties gpg.format, user.signingkey and commit.gpgsign
  • You have not added your @gjensidige.xx email address to your GitHub profile. Add it by following this guide
  • On Mac, if you have installed OpenSSH manually (not using the native OSX version), you will get errors storing keys in Key Chain. If running ssh -V and /usr/bin/ssh -V yield different results, you should use the following commands when following the steps in this guide:
    • /usr/bin/ssh
    • /usr/bin/ssh-keygen
    • /usr/bin/ssh-agent
    • /usr/bin/ssh-add
  • When you add your SSH key to your Github profile, this needs to be marked Signing Key in a Key Type dropdown. So if you already have an SSH key registered for authentication, you still need to also add it as a signing key

HowTo: Mac

The following steps are curated from the official GitHub documentation for your convenience :hugging_face:

  1. Generate a new SSH key: ssh-keygen -t ed25519 -C "my.email@gjensidige.xx"
    • Be sure to enter a password and save it in a safe place (e.g. a password manager)
  2. Start the ssh-agent in the background: eval "$(ssh-agent -s)"
  3. Modify your SSH config to automatically load keys into the ssh-agent and store passphrases in your keychain:
    1. Open SSH config: open ~/.ssh/config. If the file doesn't exist on your computer, create it
    2. Add the following config to the file. This assumes you added a password in step 1
      Host *
      AddKeysToAgent yes
      UseKeychain yes
      IdentityFile ~/.ssh/id_ed25519
  4. Add your SSH private key to the ssh-agent and store your passphrase in the keychain: ssh-add --apple-use-keychain ~/.ssh/id_ed25519
    • Make sure the ssh-agent is running ssh-agent , if not start it eval "ssh-agent -s"
    • Invoke ssh-add --apple-use-keychain ~/.ssh/id_ed25519
    • Check if SSH private key has been added: ssh-add -l
  5. Configure Git to use SSH to sign commits and tags: git config --global gpg.format ssh
  6. Copy content of the Public Key: pbcopy < ~/.ssh/id_ed25519.pub
  7. Add the Public Key to your GitHub profile as explained here
  8. Set your SSH signing key: git config --global user.signingkey 'paste content from step 6'
    • Content from step 8 will look something like: ssh-ed25519 AAAAC3(...) my.email@gjensidige.xx
    • Use double quotes before and after the content which is copied from step 8 so that it will be treated as a single string as part of command
  9. Tell Git to sign commits by default: git config --global commit.gpgSign true
  10. Add identities to ssh when you start a new terminal by adding the following to your .zshrc file ssh-add ~/.ssh/id_ed25519

HowTo: Windows with WSL

👷 Under construction, check back later 🚧

HowTo: Windows without WSL

Team Utbytte has created an excellent guide to sign your commits on Windows. It's on Confluence - click here to check it out.