🔥Let’s Do DevOps post: Cryptographically Signing Your Commits on GitHub with PGP🚀

Aka, was it really you that pushed this commit?

This blog series focuses on presenting complex DevOps projects as simple and approachable via plain language and lots of pictures. You can do it!

I’ve moved to LetsDoDevOps.com, you can find the article here. This content has a paywall for 1 week, and then will be free starting at 8/27 9a CT. Feedback on the paywall model is welcome!

Hey all!

“Git” is a nearly universal tool for managing code. It’s incredibly influential and pervasive. It’s also really insecure.

“GitHub” is in a similar position — it’s a nearly universal tool among software engineers, and (unsurprisingly), it relies on “git” a ton. Something that most users don’t recognize is the Author name you see on your PRs on GitHub is what’s configured in your local git install, and that name can be set arbitrarily to anything. Like, anything.

That’s hilarious and really unsafe.

> git config set user.name "Ronald McDonald"
> git touch stuff && git add . && git commit -m "I promise my name is ronald mcdonald" && ggpush
> git config set user.name "37337 H4x0r"
> git touch stuff2 && git add . && git commit -m "Totally a real person I promise" && ggpush

We’ve been playing around with improving our security posture on GitHub, and there are tons of tools and settings you can deploy that’ll improve things for your orgs.

One of those is called Commit Signature Verification, and it’s the process of using a cryptographic operation to “sign” a commit with your private key, which proves that you and only you were the person to construct the code. In theory, this should help prove that the commit wasn’t modified once you generated it, and that you generated it, separate and apart from the key used to push code to GitHub.

Commit verification links your git commit to a GitHub identity — that’s a huge security boon.

On most pages you’ll also see that pretty “Verified” badge on your PRs, and that means that the commit is signed cryptographically with a key linked to a GitHub Profile.

Alright, now that we’ve talked about why this matters, let’s talk about how. It’s surprisingly easy.

Let’s Do DevOps

From here on out, all content will be published on Let’s Do DevOps. I want to give back to the community as much as I’m able. Please subscribe there to avoid missing any content. Thanks all ❤.

This content has a paywall for 1 week, and then will be free starting at 8/27/2024 9a CT.

You can find this article here: https://www.letsdodevops.com/p/lets-do-devops-cryptographically