GitHub add support for GPG Signature Verification

It’s official, GitHub has announced (as of April 5th 2016) that they will now be supporting GPG-signed commit verification!

GitHub GPG Verified Commit Signature

A series of gpg-signed commits, showing the signature verification on GitHub

GitHub now shows signed git commits and tags with a green “Verified” button, not only indicating that the commit or tag is signed, but validating the GPG signature against the keys that are known to that user (set in your GitHub account settings)

The signature verification is also visible within Pull Requests, which is a great feature for large open-source projects to verify that code from trusted project members is really from the right people.

Why Signed Commits Are Important

Up until now, there is no way to verify within GitHub that commits are from he actual user that owns the account – It’s entirely possible that someone could have compromised the user’s account, committed some code as them, and opened a PR to include some bad code (a back-door, for example).

Git has supported signed commits for a while now, and large projects like the Linux Kernel rely on them, but the only way to verify the signatures was to pull the branch to your local machine and check the signature locally.

Local verification of signatures is still a really good idea, especially on large open source projects were distributed teams might not have physical meeting to discuss commits and PRs, but having the badge shown in the GitHub interface means that a quick overview can show if commits are signed using a known key or not, and the validity of that signature.

This doesn’t replace doing your own checks, but is a great step forward in assuring the identity of a contributor.

GitHub GPG Verified Commits in Pull Request

A Pull-Request on GitHub, showing contributor commits with the new “Verified” bage.

Signing your code

Now is an ideal time to get set up with the age-old PGP technology (See how: Windows / Mac), get yourself a hardware token to securely store your private key and authenticate with (GitHub users can get 20% off YubiKeys), and start signing your git commits using GPG!

What’s even better still, is that you can not only sign your git commits to verify your identity, but use the same keys (or different, if you like) to sign outgoing mail, encrypt emails and files, and more!

This is great news for IT Security, and follows not long after Facebook announced support for GPG-Encrypted Notifications! (you can use your key there, too!)

If you’re new to GPG, or still getting set up don’t forget to publish your public key (never your private key!) to one or more keyservers (MIT is a good one, and so is the SKS Keyserver Pool).

As always, my key is available in both (MIT / SKS), or directly from my blog – Feel free to add it to your key chain and send me an encrypted and signed test email!

My Key Fingerprint:

1C6E 2273 D397 06CC 48EF  A543 1C76 31C7 D620 83D0

Leave a Reply