Secure programming practices - Signed commits

Signing Git Commits Link to heading

I recently had a discussion with two fellow engineers about secure coding practices. After the discussion I realized that I am neglecting one of the most important practices: signing my commits.

There are tons of articles on the internet explaining why and how. These are my notes on the subject that I decided to publish.

These notes actually use literate programming so they are a mix of notes and code you can actually use via org-mode. You can find the actual notes file here.

Why bother? Link to heading

Signing commits, allows you to track who made the commit and that the commit has not been tampered with. More specifically, it allows you to verify that commit is signed using either a GPG key or an SSH key.

Does this protect you in the case your Github account get’s compromised? No, it does not as the attacker most likely will change the signing key. Still, it verifies that the commit was not signed by your key. If you are using GPG, where keys are public, it also allows others to verify that the commit was signed by you.

Using GPG to sign commits Link to heading

Let’s see how we can use GPG to sign commits.

Extracting the GPG Key ID Link to heading

First, we need to extract the key ID of the GPG key we want to use.

1

gpg --list-keys "iocanel@gmail.com" | grep -v pub | grep -v sub | grep -v uid | xargs

The sections below will use `$KEY_ID` to refer to the actual value.

Configure Git to Use Your GPG Key Link to heading

Extract the key ID and use it to configure Git:

1
2
3
4

git config --global commit.gpgsign true
git config --global gpg.program gpg
git config --global gpg.format openpgp
git config --global user.signingkey $KEY_ID

Export GPG Public Key for GitHub Link to heading

Export your public key in ASCII-armored format for GitHub:

1

gpg --armor --export $KEY_ID

Add GPG Key to GitHub Link to heading

There are two ways of dealing with it:

• Manualy
• Using the Github API

• Add it manually to the Github settings page

  Go to https://github.com/settings/keys and manually add it.

• Use gh and the Github API

  • Enable api access to GPG

    1	gh auth refresh -h github.com -s admin:gpg_key

  • Add the Key using gh and the API

    1 2 3

    gpg --armor --export iocanel@gmail.com > /tmp/publickey.asc gh api --method POST -H "Accept: application/vnd.github+json" /user/gpg_keys -f armored_public_key="$(cat /tmp/publickey.asc)" rm /tmp/publickey.asc

Using SSH to sign commits Link to heading

Generate a new SSH key Link to heading

1
2
3
4

git config commit.gpgsign true
git config gpg.format ssh
git config gpg.ssh.program ssh-keygen
git config user.signingkey /home/iocanel/.ssh/id_rsa

Add SSH Singing Key to GitHub Link to heading

Again, there are two ways of dealing with it (as with GPG):

• Manualy
• Using the Github API

• Add it manually to the Github settings page

  Go to https://github.com/settings/keys and manually add it.

• Use gh and the Github API

  • Enable api access to SSH signing keys

    1	gh auth refresh -h github.com -s admin:ssh_signing_key

  • Add the Key using gh and the API

    1	gh api -X POST -H "Accept: application/vnd.github+json" /user/ssh_signing_keys -f key="$(cat ~/.ssh/id_rsa.pub)" -f title="My SSH signing key"

GPG or SSH? Link to heading

So, which one should you use?

I like the idea of using GPG keys for signing commits, due to the fact that they are public and can be used to verify the commit. SSH in some scenarios and some integration might be more convenient.