Securely Sign Git Commits in Visual Studio


It is a good practice to sign your source control commits especially if you work in Open Source Software. On popular Open Source platforms it is very easy for someone to impersonate you by using your name and email address. Those impersonated commits will then end up linking to your account. The easiest way to prove identity is by signing your commits which will add a nice little verified badge next to each commit.

GitHub Configuration

Before you can get started with signing your commits you need to create the necessary keys and install them onto your GitHub profile and onto the computer(s) you plan on working from. 

There is a great tutorial on how to get this up and running in the GitHub Docs

Pitfalls to Avoid

If you make any secured commit with your configured GPG Key, do not ever remove it otherwise the commits will no longer show up as verified. Even if you don't use those keys anymore.

Secure Commits & the CLI

Once you have your computer and GitHub accounts configured you can start signing commits the easy way.

git commit -S -m "This is a secure message"

Breaking down the command there is 1 new parameter that gets passed to the commit command.

  • -S -- Which stands for Secure

If you don't pass the -S flag to the commit command your commit will be unsigned.

Visual Studio & Visual Studio Code

As a .NET developer I am constantly working with tools such as Visual Studio and Visual Studio Code. These tools do not have any built-in support for GPG Signing of commits. The commands being passed by the IDE excludes the -S flag to securely sign your commit.

Git Configuration File

To get your IDE to always sign your commits you just need to update the configuration file to force:

  • gpgsign = true

To get started:

  1. Clone the repo of your chose and change directory into the new folder
  2. $ git --edit to open the git config file
  3. Add the following code
    [commit]
            gpgsign = true
  4. To exit the editor if it is vim
    1. Shift-:
    2. Enter wq

Now go ahead and make a commit with any editor and the gpg password window will popup asking for your password before you proceed with your commit

Sample Config File

Here is an example configuration file

[core]
        repositoryformatversion = 0
        filemode = false
        bare = false
        logallrefupdates = true
        symlinks = false
        ignorecase = true
[remote "origin"]
        url = https://github.com/HoeflingSoftware/Xamarin.TitleViewSample.git
        fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
        remote = origin
        merge = refs/heads/master
[commit]
        gpgsign = true
[user]
        name = Andrew Hoefling
        email = [email protected]

Share

Tags