Should You Sign Git Commits?

Photo by Jon Tyson on Unsplash

How does commit signing work?

Again, I’m focusing on GitHub. The basic flow is pretty simple to get started with. The full documentation from GitHub is here, but at a high level, you:

  • Generate a GPG keypair locally with something like: gpg --gen-key
  • Log into your GitHub account, and upload the public key
  • Sign your commit with: git commit -S
  • Run git push and watch the green checkmark appear!

The Problem

The problem is that most people stop here, without using any form of PKI beyond the GitHub account. When you get a new laptop, you add a new public key. No one uses PGP’s web-of-trust, so anyone checking the signatures just has to rely on the public keys uploaded to the GitHub account, and that account is just protected by the same password you used to push.

So Why Do It At All?

I’ll outline a few possible reasons here, none of which are compelling enough to make me personally start signing.

Web Of Trust

If you’re actually using Web-Of-Trust (for some reason…) or are using some third-party service (like KeyBase) to manage your identity, you might get some protections against a GitHub account compromise. I think it would be better to just configure MFA using a hardware token and not worry about this at all, but I digress.

Infrastructure Compromise

You might gain some protections against a GitHub infrastructure compromise itself, assuming an attacker had access to the repository itself but not access to the list of public keys. If you’re worried about this, I’d recommend running your own SCM system in as secure of an environment as makes you comfortable instead.

Identity Protection/Impersonation

Here’s the only one that might convince me to start signing commits someday. The high level issue is that the author of a commit is whoever shows up in the Author: field, which can be any random string. GItHub manages permissions on a repo using a GitHub account, which may or may not use the same email addresses in a commit. Anyone can push commits to their own repositories with anyone else’s email address.

Conclusion

Unless you’re really worried about the impersonation angle, I don’t really recommend signing git commits for most people. Take care of your basic account hygiene with MFA and hardware tokens, and that’s plenty for most people. If you run your own Git infrastructure, signed pushes can help protect against infrastructure and account compromises as well.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store