Pedro Rodrigues

home github

signed git commits

SSH keys are awesome but those only prove your identity to the SSH server. When you're pushing to a git repository you're allowed to push changes from other people. And that means anyone with push access to a repository can push commits authored as anyone else. By signing commits authors prove that the commit was made by them. Thus if you see unsigned commits in a repository you can't be sure those were in fact commited by that person.

You need:


  1. create a gpg key pair or skip this step if you already have one
  2. create a new repo or make changes to an existing one
  3. add the changed files
  4. commit using the -S flag