I've been signing my Git commits since 2020, and it's one of those security practices that seems optional until you realize how easy it is for some...
For further actions, you may consider blocking this person and/or reporting abuse
Doesn't linking git to GH via ssh through the gh-cli automatically do this already or is linking it manually different?
Linking git to GH via ssh is needed to authenticate you with GitHub. That's how it determines if you have various rights wrt any repository.
I think, what @nickytonline is talking about is establishing authenticity, integrity and non-repudiation of each commit. No one can misuse your email and impersonate a commit if you sign all your commits.
Exactly right, Rajesh! You've perfectly captured the distinction.
SSH handles Authentication (access rights to the repo), while GPG/SSH signing ensures Authenticity, Integrity, and Non-repudiation (proving the commit content came from you).
It's all about separating who can push code from who created the code, a crucial difference for security!
Exactly Rajesh. Well said and thanks for reading my post!
That's a common point of confusion! 🤔 No, linking Git to GitHub via SSH through the gh-cli does not automatically sign your commits.
SSH (for Git/GitHub) is used for authentication when pushing/pulling code (proving you are who you say you are to GitHub).
GPG (for commit signing) is used for cryptographic proof that the commit itself was written and approved by you (the private key holder).
They are separate security layers. You still need to manually generate and configure the GPG key to get the "Verified" badge.
I see now. Thank you for the clarification.
I wasn’t aware of the GitHub CLi doing this. TIL!
Don't take my word for it. All I know is that the gh CLI let's you sign your local Git from your GitHub account via SSH as how I understand it, I'm only asking if it's the same as signing with a GPG key like you showed.
This is the method I always use to link my Git account to GitHub via SSH but if GPG is different I'll take the time to reauthenticate my accounts.
It’s probably different because GPG can be for more than just signing got commits. Will dig in though as I use the GH CLI all the time.
That's a very common question, and I can clarify! The short answer is: No, signing with SSH via the GitHub CLI is different from signing with a GPG key, but they achieve the same result: a "Verified" badge on GitHub.
Useful guide!
Thank you
Truely said
Excellent write-up 👏 — most devs don’t realize how easy it is to spoof commits until it happens.
GPG signing really is the “HTTPS moment” for Git commits — optional now, essential later.
Love how you broke it down step-by-step (especially the macOS GPG Keychain part).
Bookmarking this for every new repo setup. 🔒💻
Thanks for giving it a read Shemith!
Thanks for sharing — good OSS practice!
You’re welcome Asher!
Ou sou cool
Wow, have never considered this at all. It looks unnecessary but it's actually important during contributions. I like how you expatiated the need and also show us how to register and start using it.
From what I realise about your perspective, "gpg" is a seperate application we can integrate with git to GitHub interaction, and it is easy and better for developer.
Thanks any. Will do more rest about it.
What about open source projects? Everyone must be forced to use signed commits on your repo?
They don't have to necessarily. It's up to the maintainers of the project.
Excellent write-up ; clear, practical, and much needed for dev security hygiene.
Cannot agree more
Thanks Balasaranya!
It's soo amazing !
Thanks Gogogo!
Amazing tips.
You’re welcome Nelson!
Such a vital security practice, @nickytonline you've clearly explained. Commit signing is non-negotiable for professional teams building SaaS products.
This guide makes the setup process much less daunting. How did your team handle the rollout when you first implemented this?
Super clear guide...
Super clear and actionable....
Great article! Love learning something new from another old timer :)
Excellent guide. The step-by-step breakdown and macOS focus make GPG signing approachable for developers who've been putting it off.