Commit Signing

Concept

Anyone can set user.name and user.email to anything. Signed commits cryptographically prove authorship.

Setup (GPG or SSH; SSH is simpler):

git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgSign true

Now every commit is signed automatically. Verify:

git log --show-signature

GitHub badges signed commits as "Verified". Combined with branch protection ("Require signed commits"), an org can guarantee every commit on main is provably authored by a known key.

Critical for supply-chain security in OSS or regulated environments.

Challenge

Inspect commit log

WorkshopSimulated · no real damage

Terminal~/project·main

Idle

Working treemain

Not a git repository. git init to start.

Commit graph

main

Commits will appear here.

Each command rewrites this graph in real time.