One Tip a Week: Sign Your Git Commits

This week's tip of the week is about signing your Git commits.

Anyone can commit code as you on GitHub. Seriously. All they need is your name and email in their git config, and boom, commits show up as if you wrote them. The only defense? Signing your commits with GNU Privacy Guard (GPG).

Why it matters:

• Proves commits actually came from you, not just someone using your name

• Organizations can require signed commits through branch protection rules

• Critical for supply chain security and compliance

• That "Verified" badge isn't just decorative - it's cryptographic proof

Getting started:

I wrote a full guide on how to sign your Git commits on GitHub. The guide focuses on macOS with GPG Keychain, but covers the concepts for all platforms.

You can also check out GitHub's official documentation for more details.

Tools to get you started:

• macOS: GPG Suite (includes GPG Keychain for easy key management)

• Windows: Gpg4win (includes Kleopatra key manager)

• Linux: Use gpg command-line tools (usually pre-installed)

That's it! Short and sweet. Until the next one!