Git Signing with SSH

Why sign your commits?

supply chain

What we want

github verified

How to verify a commit?

$ git verify-commit 54d75d3d5992bdbd5ddb5a5f6a12bd7ba1dc747d
Good "git" signature with ED25519 key SHA256:lyOfOeV7C0s0ygnRgkSd4S8LVC4mkoPmRvlLdcvWOzM
No principal matched.
$ git verify-tag v1.2.3-4 

Can anyone sign a commit?

$ cat ~/.ssh/allowed_signers

Verify committs of a release

git log --oneline ${source_rev}..${target_rev} |
  awk '{ print $1}') |
  while read -r commit; do
    git verify-commit ${commit}

Delve further

Licensed under CC BY Creative Commons License ~ ✉ torstein.k.johansen @ gmail ~ 🐘 ~ 🐦 @torsteinkrause