Commit Signing
It's possible to configure git with any name and email, enabling bad actors to spoof commits and impersonate whomever they want. GitHub supports several ways to digitally sign git commits, verifying that they came from someone with access to a previously configured private key.
For example, on 3 August 2022, Stephen Lacy shared on Twitter how he uncovered a massive malware attack on GitHub by noticing unverified commits (i.e. commits that were not digitally signed).
To protect against commit spoofing, all Bitwarden contributors are encouraged to digitally sign their commits.
Setting up commit signing
Github supports commit signing with GPG, SSH and S/MIME. If you're unsure what to use, we recommend GPG.
- Install GnuPG:
- macOS
brew install gnupg
echo "export GPG_TTY=$(tty)" >> ~/.zshrc
Restart your open terminal for this to take effect
-
Follow the Github documentation to configure commit signing
-
Configure your preferred git tool below
-
Push a test commit to Github and ensure that the "Verified" badge appears next to the commit description:
Command Line
-
After configuring commit signing, you can sign a commit by using the
-S
flag:git commit -S
-
To avoid using the
-S
flag every time, you can sign all commits by default:git config --global commit.gpgSign true
(Remove the
--global
flag to only apply this setting to the current repository)
Visual Studio Code
Enable commit signing in Preferences -> Settings -> search "commit signing".
macOS: GPG Key Passphrase Prompt Issue
Some macOS users have had issues with VS Code and the gpg-agent not prompting for the GPG Key
Passphrase in order to sign commits when using the VS Code git GUI. This is illustrated by VS Code
displaying an error popup message: Git: gpg failed to sign the data
.
A workaround for this issue is to configure your gpg-agent to use pinentry for macOS in order to force a secure prompt. Run the following in a terminal of your choice:
brew install pinentry-mac
echo "pinentry-program $(which pinentry-mac)" >> ~/.gnupg/gpg-agent.conf
killall gpg-agent
Note: Note: you might have to restart VS Code for this to take effect, but you should now be prompted for your GPG Key Passphrase as needed. If this does not solve your issue, please follow the Troubleshooting guide below.
SourceTree
Refer to Setup GPG to sign commits within SourceTree.
Troubleshooting
- If you receive the error message "error: gpg failed to sign the data", make sure you added
export GPG_TTY=$(tty)
to your~/.zshrc
(or~/.bashrc
if you're using bash) and restarted your terminal. Refer to this troubleshooting document for more help with this error