I am currently wondering how git commit signing exactly works.
Tried to find this out but could not find any exact technical documentation. I am aware how to do git commit signing but am wondering what exactly git does to sign a commit.
What exactly is it that is signed? Is it the full data inside the repository at the given commit, so the data like the commit message etc. and the data of all files? Or is it only the commit with pointers to the contained files etc?
Signing, or code signing specifically, is the process of using cryptography to digitally add a signature to data. The receiver of the data can verify that the signature is authentic, and therefore must've come from the signatory. It's like physical signatures, but digital and more reliable.
You can sign commits locally using GPG, SSH, or S/MIME. Note: GitHub Desktop only supports commit signing if your Git client is configured to sign commits by default. Tips: To configure your Git client to sign commits by default for a local repository, in Git versions 2.0.
Unverified means your signature is wrong. This can be if you commit with the wrong E-Mail/Password, if you haven't uploaded the Signature on GitHub(on that account) or if you've uploaded it wrongly.
Although it's not documented anywhere, examination of the source code shows that it's the entire contents of the commit object. Those contents then get modified to insert the signature, so that the verification process must strip out the signature into a separate buffer and pass the original, pre-signature-insertion, data to the GPG signer.
The GPG signature data then take place in calculating the SHA-1 checksum for the commit to become the commit's hash ID. See gpg-interface.c
and commit.c
, functions sign_buffer
and do_sign_commit
respectively. The tag signing is in builtin/tag.c
(see function do_sign
and its caller); signed tags have their signatures appended rather than inserted, but otherwise this works pretty much the same way.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With