Should You Sign Git Commits?

Photo by Jon Tyson on Unsplash

How does commit signing work?

  • Generate a GPG keypair locally with something like: gpg --gen-key
  • Log into your GitHub account, and upload the public key
  • Sign your commit with: git commit -S
  • Run git push and watch the green checkmark appear!

The Problem

So Why Do It At All?

Web Of Trust

Infrastructure Compromise

Identity Protection/Impersonation





Founder/CEO at Chainguard

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Switching to HTTPS Before It’s Too Late

Trezor vs Ledger: Everything You Need to Know Before Buying

Data, More Data, and Even More Data

How Phishing Websites Use Captcha to Fool Browsers and People

Through the Filters of Crowdsourced Security Testing

Adobe Flash Player For Mac Os Sierra 10.12.3

Why is cloud security a shared responsibility among CXOs?

{UPDATE} しんかんせん えあわせ【新幹線神経衰弱】 Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dan Lorenc

Dan Lorenc

Founder/CEO at Chainguard

More from Medium

Docker build with Mac M1

Installing OpenJDK on M1 Macbook Pro

How to back up your Git repositories

Demystifying the Buildpacks frontend for BuildKit