Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does commit signing work?

Tags:

git

git-commit

signing

I am currently wondering how git commit signing exactly works.

Tried to find this out but could not find any exact technical documentation. I am aware how to do git commit signing but am wondering what exactly git does to sign a commit.

What exactly is it that is signed? Is it the full data inside the repository at the given commit, so the data like the commit message etc. and the data of all files? Or is it only the commit with pointers to the contained files etc?

like image 949
Markus Kreusch Avatar asked Feb 24 '17 10:02

Markus Kreusch

People also ask

What does signing commit do?

Signing, or code signing specifically, is the process of using cryptography to digitally add a signature to data. The receiver of the data can verify that the signature is authentic, and therefore must've come from the signatory. It's like physical signatures, but digital and more reliable.

What is commit signature in Git?

You can sign commits locally using GPG, SSH, or S/MIME. Note: GitHub Desktop only supports commit signing if your Git client is configured to sign commits by default. Tips: To configure your Git client to sign commits by default for a local repository, in Git versions 2.0.

Why is my commit not verified?

Unverified means your signature is wrong. This can be if you commit with the wrong E-Mail/Password, if you haven't uploaded the Signature on GitHub(on that account) or if you've uploaded it wrongly.

1 Answers

Although it's not documented anywhere, examination of the source code shows that it's the entire contents of the commit object. Those contents then get modified to insert the signature, so that the verification process must strip out the signature into a separate buffer and pass the original, pre-signature-insertion, data to the GPG signer.

The GPG signature data then take place in calculating the SHA-1 checksum for the commit to become the commit's hash ID. See gpg-interface.c and commit.c, functions sign_buffer and do_sign_commit respectively. The tag signing is in builtin/tag.c (see function do_sign and its caller); signed tags have their signatures appended rather than inserted, but otherwise this works pretty much the same way.

like image 187
torek Avatar answered Sep 21 '22 20:09

torek
Sign in to Comment

Related questions

How to commit changes to Git repository anonymously
Git Workflow Best practices
Git Diff between HEAD and SVN Master
GitHub: Using UTF-8 encoding for files
How to upload a git repo to gerrit?
How do I ignore CVS directories with Git?
Problems with git reset --hard after adding .gitattribute -- local changes that should not be there
Are concurrent operations possible with Git repositories?
Git - Merge vs rebase
Git: Change timestamp after pushing
How to create a remote server on LAN instead of using GitHub? [closed]
What is the recommended workflow using Liquibase and Git?
Git find all binary files in history
git commit command hangs indefinitely
Can I use git with .dwg (autocad)?
I am getting 500 error on git clone
Can you clone GitLab snippets?
How to combine two unrelated git repositories, preserving history
The server rejected the connection: None of the protocols were accepted
change no of lines after and before in git diff output

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!