Sign and submit the label

Basic Concepts of Signed Commits and Tags

The signing mechanism in Git provides an additional security layer for code repositories. Signed commits use the developer's GPG key to encrypt and sign the commit content, verifying the true identity of the committer. Tag signing, on the other hand, authenticates permanent markers for specific version points, commonly used to mark release versions.

// Example: Command-line operation to generate a GPG key
gpg --full-generate-key

Configuring Git Commit Signing

Before signing commits, GPG tool configuration must be completed. Modern Git versions (2.0+) default to using gpg2, so ensure the GPG suite is installed on the system. Configuration involves three main steps:

1. Informing Git about the GPG key

git config --global user.signingkey <key-id>

2. Setting the default GPG program

git config --global gpg.program gpg2

3. Testing the signing functionality

echo "test" | gpg --clearsign

Windows systems require special attention to path escaping:

git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"

Creating Signed Commits

When using the -S flag to create a signed commit, Git performs the following operations:

1. Generates the SHA-1 checksum of the commit object
2. Signs the checksum using the GPG private key
3. Stores the signature information in the commit object

git commit -S -m "Implement user authentication"

To enforce signing for all commits:

git config --global commit.gpgsign true

If encountering the "gpg failed to sign the data" error, typically export GPG_TTY:

export GPG_TTY=$(tty)

Verifying Commit Signatures

Check the signing status in a project:

git log --show-signature

Example output:

commit 5f1bc85 (HEAD -> main)
gpg: Signature made Wed May 15 14:23:42 2023 CST
gpg:                using RSA key 4AEE18F83AFDEB23
gpg: Good signature from "Li Hua <lihua@example.com>"

Batch verification for all commits:

git verify-commit $(git rev-list --all)

Methods for Signing Tags

Creating an annotated signed tag:

git tag -s v1.4 -m "Release version 1.4"

Lightweight tags cannot be signed; the -a or -s parameter must be used. Verifying tag signatures:

git tag -v v1.4

When pushing tags to a remote, explicitly specify:

git push origin v1.4

Common Issues in the Signing Process

GPG agent issues typically manifest as:

error: gpg failed to sign the data
fatal: failed to write commit object

Solutions include:

1. Ensuring the pinentry program is correctly configured

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys <key-id>

2. Updating the GPG cache

gpgconf --kill gpg-agent
gpgconf --launch gpg-agent

When keys expire, extend their validity:

gpg --edit-key <key-id>
> expire
> 2y
> save

Automated Signing Strategies

Automatically verifying signatures in CI/CD pipelines:

# GitHub Actions example
jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - run: |
          git fetch --tags
          git verify-commit HEAD
          git verify-tag $(git describe)

Client-side hooks to enforce signing checks:

# .git/hooks/pre-commit
if ! git verify-commit HEAD 2>/dev/null; then
  echo "Unsigned commits are rejected" >&2
  exit 1
fi

Signature Management in Multi-Developer Environments

For team projects, maintaining a public keyring is recommended:

# Export public keys
gpg --export -a <key-id> > team_keys.asc

# Import others' public keys
gpg --import team_keys.asc

# Set trust levels
gpg --edit-key <teammate-key-id>
> trust
> 5
> quit

Git configuration for specifying trusted signers:

git config --global gpg.allowedSignersFile ~/.git_allowed_signers

Example file format:

lihua@example.com namespaces="git" trustlevel=ultimate
wangwei@company.com namespaces="git" trustlevel=marginal

Legal Validity of Signatures

Digital signatures carry legal weight in certain jurisdictions. For enterprise development, it is recommended to:

1. Bind GPG keys to corporate email addresses
2. Rotate signing keys periodically (recommended annually)
3. Clearly specify signing requirements in CONTRIBUTING.md

Methods for publishing revocation certificates:

gpg --gen-revoke <key-id> > revoke.asc
gpg --send-keys <key-id>

Advanced Signing Techniques

Signing merge commits:

git merge --verify-signatures feature-branch

Signing patch files:

git format-patch -1 --stdout HEAD | gpg --clearsign > 0001-signed.patch

Using different keys for different projects:

# Project-specific configuration
git config user.signingkey <project-specific-key>

Signatures and Submodules

When handling signed commits containing submodules, note:

1. Submodule pointer changes require re-signing
2. Recursive signature verification command:

git submodule foreach 'git verify-commit HEAD'

Verifying signatures when updating submodules:

git pull --recurse-submodules --verify-signatures

Key Hosting Solutions

Secure methods for backing up GPG keys:

# Export private keys
gpg --export-secret-keys -a <key-id> > private.key

# Backup using Paperkey
paperkey --secret-key private.key > paperkey.txt

Cloud service integration (e.g., Keybase):

keybase pgp pull-private
git config --global user.signingkey $(keybase pgp list-secret | grep -B 3 "primary" | head -n 1 | cut -d' ' -f5)