Signed Commits — The Fake Commit That Almost Deployed Malware
A malicious actor pushed a commit impersonating a trusted maintainer.
20+ years shipping production infrastructure and CI/CD at scale. Written from production experience, not tutorials.
- ✓Solid grasp of devops fundamentals
- ✓Comfortable reading and writing code examples independently
- ✓Basic understanding of production deployment concepts
1. Generate a GPG key: gpg --full-generate-key. 2. Add it to GitHub: gpg --armor --export → Settings → SSH and GPG keys. 3. Configure Git: git config --global user.signingkey and git config --global commit.gpgsign true.
Signed commits are like a wax seal on a letter. Anyone can write 'From: Albert Einstein' on an envelope. But a wax seal with Einstein's signet ring can only be created by someone with that ring. GPG signing stamps each commit with your unique digital seal. GitHub checks the seal and shows 'Verified' if it matches your account. No seal = anyone could have written that commit.
| Chrome | Firefox | Safari | Edge |
|---|---|---|---|
| ✓ | ✓ | ✓ | ✓ |
Git commits have an author field that can be set to ANY name and email. git config user.name 'Linus Torvalds' && git config user.email 'torvalds@linux.com' — there's no authentication. This is a feature (Git is trust-based) but also a vulnerability. A malicious actor with push access can impersonate anyone. GPG signing solves this by attaching a cryptographic signature that GitHub/GitLab verifies against your public key. This guide covers setup, the incident where unsigned commits almost deployed malware, and how to enforce signing in your CI/CD pipeline.
Setting Up GPG-Signed Commits
Step 1: Generate a GPG key. Use gpg --full-generate-key. Choose RSA (4096 bits) or Ed25519. Use your REAL email — the one associated with your GitHub account.
Step 2: Export the public key: gpg --armor --export <key-id>. Add it to GitHub: Settings → SSH and GPG keys → New GPG key.
Step 3: Configure Git: git config --global user.signingkey <key-id> and git config --global commit.gpgsign true. Now every commit is auto-signed.
Step 4: Verify: git log --show-signature -1 shows the signature status. On GitHub, a 'Verified' badge appears next to the commit.
git config --global user.email to check and match it to your GitHub email.git log --format='%G?' and reject if any commit shows 'N' (no signature) or 'B' (bad signature). GitHub branch protection rules can require signed commits for specific branches without server-side hooks. For GitLab, use push rules. SSO-managed keys (via GitHub's org-level GPG enforcement) simplify key management for teams.Impersonated Commit Almost Deployed Malicious Code
git config user.name 'Lead Maintainer' && git config user.email 'lead@project.com'. 3. Attacker created a commit that introduced malicious code. 4. The commit appeared in git log as authored by the lead maintainer. 5. Code review missed the malicious code (it was buried in a large diff). 6. The commit was merged and triggered a CI build. 7. Only a team member noticing the odd commit time prevented the deploy.git log --format='%G?' -1 | grep -q 'G' 5. Added a CI check: git log --format='%G?' --all | grep -v 'G' | wc -l must be 0.- Git author/committer fields are self-reported and can be faked.
- GPG signing is the ONLY way to cryptographically verify identity.
- Enable signed commit requirements in branch protection rules.
- Add CI checks that reject unsigned commits.
commit.gpgsign truegit rebase --exec 'git commit --amend --no-edit -S' to retroactively sign (rewrites history)Key takeaways
commit.gpgsign true to auto-sign every commit20+ years shipping production infrastructure and CI/CD at scale. Written from production experience, not tutorials.
That's Git. Mark it forged?
3 min read · try the examples if you haven't