It is a good practice to sign your source control commits especially if you work in Open Source Software. On popular Open Source platforms it is very easy for someone to impersonate you by using your name and email address. Those impersonated commits will then end up linking to your account. The easiest way to prove identity is by signing your commits which will add a nice little verified badge next to each commit.
Before you can get started with signing your commits you need to create the necessary keys and install them onto your GitHub profile and onto the computer(s) you plan on working from.
There is a great tutorial on how to get this up and running in the GitHub Docs
Pitfalls to Avoid
If you make any secured commit with your configured GPG Key, do not ever remove it otherwise the commits will no longer show up as verified. Even if you don't use those keys anymore.
Secure Commits & the CLI
Once you have your computer and GitHub accounts configured you can start signing commits the easy way.
git commit -S -m "This is a secure message"
Breaking down the command there is 1 new parameter that gets passed to the commit command.
- -S -- Which stands for Secure
If you don't pass the -S flag to the commit command your commit will be unsigned.
Visual Studio & Visual Studio Code
As a .NET developer I am constantly working with tools such as Visual Studio and Visual Studio Code. These tools do not have any built-in support for GPG Signing of commits. The commands being passed by the IDE excludes the -S flag to securely sign your commit.
Git Configuration File
To get your IDE to always sign your commits you just need to update the configuration file to force:
To get started:
- Clone the repo of your chose and change directory into the new folder
$ git --edit to open the git config file
- Add the following code
gpgsign = true
- To exit the editor if it is vim
- Enter wq
Now go ahead and make a commit with any editor and the gpg password window will popup asking for your password before you proceed with your commit
Sample Config File
Here is an example configuration file
repositoryformatversion = 0
filemode = false
bare = false
logallrefupdates = true
symlinks = false
ignorecase = true
url = https://github.com/HoeflingSoftware/Xamarin.TitleViewSample.git
fetch = +refs/heads/*:refs/remotes/origin/*
remote = origin
merge = refs/heads/master
gpgsign = true
name = Andrew Hoefling
email = [email protected]