What does it mean to sign a commit in Git? Even after reading the documentation, I'm still a bit confused on how it works.
If a commit is signed, does that mean we can tell whether or not the author name and email on a commit are accurate?
If you're interested in signing commits directly instead of just the tags, all you need to do is add a -S to your git commit command. To see and verify these signatures, there is also a --show-signature option to git log .
Signing, or code signing specifically, is the process of using cryptography to digitally add a signature to data. The receiver of the data can verify that the signature is authentic, and therefore must've come from the signatory. It's like physical signatures, but digital and more reliable.
GitHub will verify GPG, SSH, or S/MIME signatures so other people will know that your commits come from a trusted source. GitHub will automatically sign commits you make using the GitHub web interface. About commit signature verification.
Using GPG, SSH, or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can be confident that the changes come from a trusted source.
Technically it merely means the holder of the corresponding private key signed the commit. In practice it can be inferred 1) the holder of said key is a person with some verifiable reputation, 2) that person has claimed authorship of the code, and 3) the code hasn't changed since they signed it. I have very limited knowledge of how GPG key holders establish their identity with others, but that's the general idea.
Why might you want to check all that? If the software in question is critical to some type of security, an attacker might compromise you by substituting broken software for the software you think you're getting, e.g. something with a backdoor you couldn't easily identify. After all, you want some code, you click "download", and you trust that what arrives over the wire is what was written on the button. But, ideally, the attacker would not be able to imitate the signature of the true author, as they wouldn't have the author's private key. And they can't just change the code and leave the signature alone, because it involves a hash of the code itself.
See Code Signing on wikipedia.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With