Why Sign Commits?

There are some tangible benefits to signing your Git commits, besides getting a green ‘Verified’ badge (or vendor-specific equivalent) against your commits on Git platforms which support it.

Attacks on software supply chains are becoming increasingly common and are an easy way for malicious actors to introduce vulnerabilities (e.g. ‘backdoors’) into software. Git adopts an honesty-based philosophy by default, and will attribute commits to whatever name and email address is supplied by the committing party. This means anyone with access to a repository can contribute work under the name of any other person with repository access, or even as someone with no repository access! For example, here’s a repo where John McKeever and Bill Gates are both working on some code together:

This problem with this view is that, perhaps unsurprisingly, Bill Gates is not a user of this repository. In this case, Bill Gates' identity was easily fabricated:

### Prepare some code
$> git add my_code.java

### Check our identity
$> git config user.name
John McKeever
$> git config user.email
john.mckeever@datamigrators.com

### Fake our commit identity
$> git config user.name "Bill Gates"
$> git config user.email "bill.gates@microsoft.com"

### Check our fake identity
$> git config user.name
Bill Gates
$> config user.email
bill.gates@microsoft.com

### Make the fake commit
$> git commit -m "Bill Gates' work"
[master 10f52a3] Bill Gates' work
 1 file changed, 7 insertions(+)
 create mode 100644 my_code.java
$> git push
Enumerating objects: 4, done.
<blah>
To bitbucket.org:datamigrators/jmck-repo-test.git
   6c57bb8..10f52a3  master -> master

### Revert our identity
$> git config user.name "John McKeever"
$> git config user.email "john.mckeever@datamigrators.com"

### Revel in the effectiveness of our handiwork
$> git log
commit 10f52a370e3fb9756a2fdb3a96a6d59c0ada69cf (HEAD -> master, origin/master, origin/HEAD)
Author: Bill Gates <bill.gates@microsoft.com>
Date:   Mon Jul 31 23:31:17 2023 +1000

    Bill Gates' work

commit 6c57bb84cfc3cdf970f7180a28e84a7d48ae6a23
Author: John McKeever <john.mckeever@datamigrators.com>
Date:   Thu Jul 31 22:38:24 2023 +0000

    Initial commit
(END)

To make the world believe that Bill Gates authored a commit we simply ran the git config user.name and git config user.email commands with values matching the identity of the individual we wished to masquerade as.

Git is designed so that the committer’s details are used simply to identify which of the repository’s collaborators made a change; they are not intended to be used for authentication purposes. The ability to impersonate other committers in the manner demonstrated above does not introduce a vulnerability per se. Setting user.name to ‘Bill Gates’ does not grant a user the ability to push code to Bill Gates' repositories; Git would require a user to authenticate with Bill’s credentials before they were granted access to his other resources.

While this is not a true security vulnerability it does introduce significant problems. An unsigned commit does not guarantee that…

the person whose name is on the commit is the real author, or
the code change you see is really what the author wrote (i.e., it’s not been tampered with)

Making a habit of signing your Git commits instead gives you the ability to prove that you were the author of a specific code change. It also gives you the ability to ensure that no one can modify your commit (or its metadata, such as the time you claimed it was made at) in the future.

Note that signing Git commits does not prevent others from impersonating you using the technique described above. Those counterfeit commits, however, won’t bear a digital signature (resulting in the display the ‘Verified’ badge) which guarantee their authenticity.

Depending upon which Git platform your use you may choose to further enforce the integrity of your repository by implementing a policy that all commits must be signed. On GitHub, for example, you can do that using protected branches.