Modal Title
Security / Software Development

How to Sign git Commits with an SSH key

How can a maintainer of an open source project assure that the project's code hasn't been hacked? By signing the code with SSH. Here's how.
Sep 17th, 2022 6:00am by
Featued image for: How to Sign git Commits with an SSH key
Feature image by Ian Wilson via Pixabay 

Development projects can get very busy. They can also grow to massive proportions. When projects do expand (especially those of an open-source nature), they take on more and more developers. That’s great… until it’s not.

For example, what happens if a rogue developer hops onto a project and adds a commit that injects malicious software into the code? No project wants to have to deal with such an issue.

To that end, projects must be very careful who they allow in. But what happens if someone sneaks under the radar? Maybe a rogue developer gains access to your project and adds a commit that injects malicious code and does so under the guise of another developer. When you see that developer’s name associated with the commit, you let it pass, assuming the code is solid and there’s no need to worry.

Famous last words.

Little do you know, that rogue developer just trashed your project and unless you do catch it, you could wind up with a massive problem on your hands.

What can you do to avoid this?

There are many things. You could constantly keep tabs on every line of code to make sure it’s worthy of the project and safe. Of course, you want to trust your developers and might not have time to comb through every single line of code for malicious intent.

If that describes your project, what can you do?

One thing is to enforce Secure Shell (SSH) signing for commits, which uses public-key cryptography to create a signature for yourself that can’t be forged.

A-ha! You’ve been hunting high and low for such a solution.

By using signing in SSH commits, you can more easily verify that each commit was submitted by a legitimate developer and not an impostor.

I’m here to show you how this is done.

Requirements

To use SSH keys in git commits, you’ll need the git version control software installed and an SSH key. I’ll show you how to do both and will demonstrate on Ubuntu Linux 22.04. If you’re working on a different operating system, make sure to alter the installation steps accordingly.

Ready? Let’s do this.

Installing Git

The first thing we’ll do is install git. For that, log in to your Ubuntu instance, open a terminal window, and issue the command:


Huzzah!

Create Your SSH Key

Next, you must generate an SSH key that will be used. For this, issue the command:


Answer the questions and make sure to type/verify a strong and unique password for the key. That key will be housed in your ~/.ssh directory by default. That’s fine as git can work with that.

Initialize a Local Repository

Next, we must initialize a local repository. Create a folder for this with the command:


You can name that directory whatever you like.

Change into the new directory with:


Initialize the empty repository with:

Configure Git

We now need to configure git to know who we are. This is accomplished with the following two commands:


Where EMAIL is your email address and NAME is your full name.

Our next configuration tells git we want to enable GPG singing and the format will be SSH. To do that, issue the following two commands:


Next, list your SSH key(s) with:


You should see something like this listed:


Copy that entire string.

If you get an error after the ssh-add command, you might need to first run the command:


We can now set our signing key with the command:


Where KEY is the entire string you copied above.

You can then confirm the SSH signing has been set up correctly with the command:


For our next trick, we need to configure the SignersFile with the command:


Create the allowed signers file with:


Finally, we have to populate that new file with our key using the command:


Where EMAIL is your email address and KEY is the key you copied earlier.

How to Verify It’s Working

Now that everything is set up, let’s make sure everything works with the command:


The output should look something like this:


Where EMAIL is the email address associated with your SSH key.

Congratulations, you now have SSH signing set up for your git commits. Everyone will know that it’s really you submitting to the project.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.
TNS owner Insight Partners is an investor in: Famous.