Software Engineer

Why you should sign your git commits

Git is a distributed version control system that allows developers to manage changes to their code over time. Each time a developer makes changes to the codebase, they create a new commit, which represents a snapshot of the code at a specific point in time. Along with the changes to the code, each commit also includes metadata that provides important information about the commit.

The metadata of a commit includes several key pieces of information, such as the author, committer, committer date, and author date. The author is the person who originally wrote the code, while the committer is the person who applied the changes to the repository. The author date refers to the date, and time when the original code was written, while the committer date refers to the date and time when the changes were committed to the repository. The commit date will change when you make changes by using --amend, a force push, a rebase, or other git commands.

In summary, the metadata of a commit in git provides critical information about the code, including who wrote it, who applied changes to it, and when those changes were made. This information is essential for understanding the context of the code and tracking changes to the codebase over time. By default, the author/committer date information is filled with the current date, and the author/committer is filled with the user configuration from the git configuration file (~/.gitconfig).

In a git commit, you can specify the author of a commit, using the --author argument. As mentioned, the default author is taken from the git configuration file.

A commit specifying the author
A commit specifying the author

I created this commit just providing an author argument:

git commit --author="Lucas Felipe <[email protected]>"

As can you see, I set lpaivareis as the author, but I was responsible for the commit, so the git put me as the committer. This happen because I did this commit from my computer, and my git configuration has my username and email.

But what happens if I want to impersonate someone, and set my git configuration file with another username and email? Exactly! This is the point.

git config "Lucas Felipe"
git config "[email protected]"

Now, all my commits in this repository (and all of them, if I set it globally using the --global argument) will seem that come from lpaivareis:

An misattributing commit impersonating Lucas
An misattributing commit impersonating Lucas

This is an expected behavior from git, you can make commits in name of others, or just put them as the author of a commit, and they don’t need to accept anything, they won’t even know about it. In this case, my friend Lucas Felipe (lpaivareis) nor have access to the private repository that I’m using.

The only way to let people trust in your commits, proving they really came from you, is signing all your commits. All that you will need to do, is generate a GPG key, add them to your GitHub or GitLab account, and tell to git sign all of your commits with that key:

git config --global commit.gpgsign true

Signing your commits, you’ll get a beautiful verified badge in all of your commits:

A signed commit
A signed commit

This post’s purpose is just to convince you that you really need to sign all of your commits, and if I was successful in my mission, I’ll give you great references to do that:

Thanks for reading!