Search code examples
gitgit-sign

What is a signed commit?


What does it mean to sign a commit in Git? Even after reading the documentation, I'm still a bit confused on how it works.

If a commit is signed, does that mean we can tell whether or not the author name and email on a commit are accurate?


Solution

  • Technically it merely means the holder of the corresponding private key signed the commit. In practice it can be inferred:

    1. the holder of said key is a person with some verifiable reputation,
    2. that person has claimed authorship of the code, and
    3. the code hasn't changed since they signed it.

    I have very limited knowledge of how GPG key holders establish their identity with others, but that's the general idea.

    Why might you want to check all that? If the software in question is critical to some type of security, an attacker might compromise you by substituting broken software for the software you think you're getting, e.g. something with a backdoor you couldn't easily identify. After all, you want some code, you click "download", and you trust that what arrives over the wire is what was written on the button. But, ideally, the attacker would not be able to imitate the signature of the true author, as they wouldn't have the author's private key. And they can't just change the code and leave the signature alone, because it involves a hash of the code itself.

    See Code Signing on wikipedia.