← Back to Topics

Git Commit Signing

The cluster focuses on using GPG, PGP, or SSH keys to sign Git commits for authenticity and security, debating their effectiveness against issues like unsigned commits, GitHub trust, and hash vulnerabilities.

📉 Falling 0.4x Security
2,146
Comments
19
Years Active
5
Top Authors
#9496
Topic ID

Activity Over Time

2008
1
2009
3
2010
12
2011
33
2012
46
2013
60
2014
82
2015
103
2016
166
2017
205
2018
145
2019
110
2020
157
2021
230
2022
314
2023
109
2024
214
2025
135
2026
25

Top Contributors

lrvick (12) cyphar (11) woodruffw (11) geofft (10) hdhzy (9)

Keywords

CLI TUF github.blog SSH PR GH GIT shattered.io PGP SVN commits git commit signed github signing sign sha gpg verify

Sample Comments

craftyguy Feb 10, 2018 View on HN

Or, maybe you should gpg sign your commits. Then github is irrelevant, assuming you have sole control over your private key.

ElBarto Sep 14, 2018 View on HN

If you do not trust Github then signed commits will not help since Github physically controls the repository.

dependenttypes May 7, 2020 View on HN

Having openpgp-signed commits would prevent such an issue.

erdeszt Apr 16, 2015 View on HN

Commit hashes are not a security feature but you can sign your commits with gpg.

chrisseaton Sep 6, 2021 View on HN

Says it signs the commit with its own key. I guess you have to trust GitHub.

nyxtom Jun 3, 2018 View on HN

Usually you can sign your work in a cryptographically verifiable way https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

aliqot Aug 25, 2022 View on HN

Git allows this. Github is just doing what it's told with the data it has. If you don't like this, ignore unsigned commits.

_flux Dec 31, 2022 View on HN

Git allows one to sign commits. It would be quite pointless if it was signing mere MD5 hashes.

Faaak Sep 26, 2018 View on HN

So a git repo with signed commits ?

micampe Aug 4, 2015 View on HN

Signing my commits doesn’t prove that I didn’t do an unsigned one.