Enforcing GPG-Signed Commits in Git

2024-03-21T00:00:00+00:00

🚀 Problem & Solution

📌 Context / Backstory

In our collaborative development environment, we discovered that Git's flexibility allows commits under any name and email. This became a security concern when we realized that GitHub identifies users by email, not SSH keys.

sequenceDiagram participant Alice participant Bob participant GitHub Alice->>GitHub: Commit signed with alice@example.com (GPG signed) GitHub->>GitHub: Shows "Verified" commit from Alice Bob->>GitHub: Commit using alice@example.com (no signature) GitHub->>GitHub: Shows commit as from "Alice" (Unverified) Note over GitHub: GitHub matches commits by email, not by SSH or true identity.

⚠️ The Problem

Anyone with repository access can spoof another contributor's identity
Commit history could be manipulated without detection
No cryptographic proof of commit authenticity
GitHub's user identification relies solely on email addresses

💡 The Solution

We implemented mandatory GPG-signed commits, which:

Cryptographically verify commit authenticity
Prevent identity spoofing
Create traceable commit history
Integrate with GitHub's verification system

👥 Who This Helps

Security-conscious development teams
Open-source project maintainers
Regulated environments requiring audit trails
Organizations needing verified commit history

⚙️ Technical Implementation

Let's visualize the GPG signing workflow:

flowchart LR C[Commit] -->|Sign| G[GPG Key] G -->|Verify| GH[GitHub] subgraph "Local System" C G end subgraph "Remote" GH end style GH fill:#f96,stroke:#333 style G fill:#9f6,stroke:#333

1️⃣ Setting Up GPG Keys

# Generate a new GPG key
gpg --full-generate-key

# List your keys
gpg --list-secret-keys --keyid-format=long

2️⃣ Configuring Git

# Configure Git to use your GPG key
$ git config --global user.signingkey <YOUR_KEY_ID>
$ git config --global commit.gpgsign true
$ git config --global gpg.program gpg

3️⃣ GitHub Integration

Export your public GPG key:

$ gpg --armor --export <YOUR_KEY_ID>

Add the key to your GitHub account settings

4️⃣ Enforcing Signed Commits

In GitHub repository settings:

Navigate to Settings > Branches
Add branch protection rule
Enable "Require signed commits"

🛠️ Troubleshooting & Debugging

GPG signing fails: Check gpg-agent configuration
GitHub doesn't show "Verified": Ensure GPG key is added to GitHub
CI/CD issues: Set up proper GNUPGHOME environment
Smart card/YubiKey: Verify proper card reader access

🔁 Optimizations & Best Practices

Use GPG subkeys instead of master keys
Implement regular key rotation
Set up separate signing keys for different contexts
Use environment isolation in CI/CD pipelines
Consider hardware security keys (YubiKey) for key storage

✅ Conclusion & Takeaways

GPG-signed commits provide a robust security layer for Git workflows, ensuring: - Verified commit authenticity - Protected repository history - Clear accountability - Compliance with security best practices

💬 Comments & Next Steps

How do you handle commit verification in your organization? Share your experience or ask questions below!

Password Store with GPG and Git

2024-03-21T00:00:00+00:00

🚀 Problem & Solution

📌 Context / Backstory

We needed a secure way to manage passwords and secrets across multiple servers and team members. Commercial password managers were either too complex, costly, or required external services we wanted to avoid.

⚠️ The Problem

Managing secrets across systems and teams presents several challenges:

Keeping passwords secure yet accessible
Tracking changes and maintaining history
Sharing secrets securely between team members
Avoiding dependency on external services

💡 The Solution

We implemented password-store with GPG encryption and Git integration, providing:

Secure GPG encryption for all secrets
Git-based version control and distribution
Fully local operation with no external dependencies
Command-line interface for automation

👥 Who This Helps

System administrators managing multiple servers
DevOps teams handling shared credentials
Security-conscious users wanting local password management
Teams needing version-controlled secrets

⚙️ Technical Implementation

Let's visualize the password-store workflow:

1️⃣ Generating GPG Keys in Batch Mode

For automated environments:

cat > gpg-server-key.conf <<EOF
%no-protection
Key-Type: default
Subkey-Type: default
Name-Real: Server Automation Key
Name-Email: server@example.com
Expire-Date: 0
%commit
EOF

gpg --batch --generate-key gpg-server-key.conf

2️⃣ Setting Up the Environment

export PASSWORD_STORE_GPG_OPTS="--armor"
export GNUPGHOME=/etc/password-store/.gnupg
export PASSWORD_STORE_DIR=/etc/password-store/store

3️⃣ Initializing the Password Store

mkdir -p "$GNUPGHOME" "$PASSWORD_STORE_DIR"
chmod 700 "$GNUPGHOME" "$PASSWORD_STORE_DIR"
pass init server@example.com

4️⃣ Git Integration

cd "$PASSWORD_STORE_DIR"
git init
git add .
git commit -m "Initial password store"
git remote add origin git@example.com:secrets.git
git push -u origin main

🛠️ Troubleshooting & Debugging

Ensure proper GPG key permissions (700 for directories, 600 for files)
Verify GPG recipient when encryption fails
Check Git remote access rights for sync issues
Monitor Git conflicts when multiple users update simultaneously

🔁 Optimizations & Alternatives

Consider using GPG agent for improved key handling
Implement Git hooks for pre-commit validation
Use Git branches for testing password updates
Consider pass extensions for additional features

✅ Conclusion & Takeaways

Using GPG with password-store provides a flexible, secure, and lightweight method for managing secrets across machines. With Git integration, you get version history, team sharing, and distributed backup—without compromising security.

💬 Comments & Next Steps

How do you manage shared secrets in your infrastructure? Share your experience or ask questions below!

nunogrl.com - gpg

Enforcing GPG-Signed Commits in Git

🚀 Problem & Solution

📌 Context / Backstory

⚠️ The Problem

💡 The Solution

👥 Who This Helps

⚙️ Technical Implementation

1️⃣ Setting Up GPG Keys

2️⃣ Configuring Git

3️⃣ GitHub Integration

4️⃣ Enforcing Signed Commits

🛠️ Troubleshooting & Debugging

🔁 Optimizations & Best Practices

✅ Conclusion & Takeaways

💬 Comments & Next Steps

Password Store with GPG and Git

🚀 Problem & Solution

📌 Context / Backstory

⚠️ The Problem

💡 The Solution

👥 Who This Helps

⚙️ Technical Implementation

1️⃣ Generating GPG Keys in Batch Mode

2️⃣ Setting Up the Environment

3️⃣ Initializing the Password Store

4️⃣ Git Integration

🛠️ Troubleshooting & Debugging

🔁 Optimizations & Alternatives

✅ Conclusion & Takeaways

💬 Comments & Next Steps