How to Check If a Git Commit Is Signed

Introduction

In this lab, you will learn how to check if a Git commit is signed. Commit signing is a crucial practice for verifying the authenticity and integrity of your project's history.

Through hands-on steps, you will explore how to use the git log --show-signature command to view signature information for commits and the git verify-commit command to check the signature of a specific commit. You will also learn how to test and identify unsigned commits, gaining a comprehensive understanding of how to ensure the trustworthiness of your Git repository.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL git(("Git")) -.-> git/BasicOperationsGroup(["Basic Operations"]) git(("Git")) -.-> git/BranchManagementGroup(["Branch Management"]) git/BasicOperationsGroup -.-> git/add("Stage Files") git/BasicOperationsGroup -.-> git/status("Check Status") git/BasicOperationsGroup -.-> git/commit("Create Commit") git/BranchManagementGroup -.-> git/log("Show Commits") subgraph Lab Skills git/add -.-> lab-560065{{"How to Check If a Git Commit Is Signed"}} git/status -.-> lab-560065{{"How to Check If a Git Commit Is Signed"}} git/commit -.-> lab-560065{{"How to Check If a Git Commit Is Signed"}} git/log -.-> lab-560065{{"How to Check If a Git Commit Is Signed"}} end

Run git log --show-signature

In this step, we will explore how to view commit signatures using the git log command. Commit signing is a way to verify the identity of the person who made a commit, adding an extra layer of trust to your project's history.

First, navigate to your project directory if you are not already there. Remember, our project is located at ~/project/my-time-machine.

cd ~/project/my-time-machine

Now, let's view the commit log with the --show-signature option. This option tells Git to display signature information for each commit if it exists.

git log --show-signature

You should see the log of your previous commit, and since we haven't configured commit signing yet, you won't see any signature information displayed. The output will look similar to this:

commit a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9 (HEAD -> master)
Author: Jane Doe <[email protected]>
Date:   Mon Aug 7 10:00:00 2023 +0000

    Send a message to the future

The git log --show-signature command is essential for verifying the authenticity of commits in a project. When working in a team or contributing to open-source projects, commit signatures help ensure that the commits you are reviewing or using come from trusted sources. Without signatures, it's harder to be certain about the origin of changes.

In the following steps, we will learn how to configure Git to sign your commits and how to verify those signatures.

Use git verify-commit to Check

In this step, we will learn how to use the git verify-commit command to check the signature of a specific commit. This command is useful when you want to verify the authenticity of a single commit rather than viewing the signature status of all commits in the log.

First, make sure you are in your project directory:

cd ~/project/my-time-machine

To use git verify-commit, you need the commit hash (the unique identifier) of the commit you want to verify. You can get this hash from the git log output. For our first commit, the hash will be a long string of characters. You only need the first few characters (usually 7 is enough) to identify the commit.

Let's get the commit hash using git log --oneline:

git log --oneline

This will show a simplified log output, like this:

a1b2c3d (HEAD -> master) Send a message to the future

The a1b2c3d part is the short commit hash. Copy this hash.

Now, use the git verify-commit command followed by the commit hash. Replace YOUR_COMMIT_HASH with the actual hash you copied:

git verify-commit YOUR_COMMIT_HASH

Since our commit was not signed, you will likely see an output indicating that there is no signature or that the signature could not be verified. This is expected because we haven't configured Git to sign commits yet. The output might look something like this:

object YOUR_COMMIT_HASH
type commit
tag -1
tree 8a9b0c1d2e3f4g5h6i7j8k9l0m1n2o3p4q5r6s7t
parent u1v2w3x4y5z6a7b8c9d0e1f2g3h4i5j6k7l8m9n0
author Jane Doe <[email protected]> 1678886400 +0000
committer Jane Doe <[email protected]> 1678886400 +0000

Send a message to the future

The git verify-commit command is a powerful tool for inspecting the details of a commit, including its signature status. It helps you confirm that a commit hasn't been tampered with and that it originates from a trusted source, which is crucial for maintaining the integrity of your project's history.

In the next step, we will create a new commit and see how Git handles unsigned commits when we try to verify them.

Test Unsigned Commits

In this step, we will create another commit without a signature and observe how Git handles it when we use the verification commands we learned in the previous steps. This will reinforce your understanding of how Git identifies unsigned commits.

First, make sure you are in your project directory:

cd ~/project/my-time-machine

Let's add another line to our message.txt file:

echo "This is a second message." >> message.txt

The >> operator appends the text to the existing file. Now, let's check the status:

git status

You should see that message.txt has been modified:

On branch master
Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   message.txt

no changes added to commit (use "git add" and/or "git commit -a")

Now, let's stage the changes and create a new commit. We will not sign this commit.

git add message.txt
git commit -m "Add a second message"

You will see output confirming the new commit:

[master a1b2c3d] Add a second message
 1 file changed, 1 insertion(+)

Now that we have a second, unsigned commit, let's use git log --show-signature again to see the history:

git log --show-signature

You will see both commits in the log. Neither will show signature information because we haven't configured signing yet.

commit a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9 (HEAD -> master)
Author: Jane Doe <[email protected]>
Date:   Mon Aug 7 10:00:00 2023 +0000

    Add a second message

commit u1v2w3x4y5z6a7b8c9d0e1f2g3h4i5j6k7l8m9n0
Author: Jane Doe <[email protected]>
Date:   Mon Aug 7 10:00:00 2023 +0000

    Send a message to the future

Finally, let's use git verify-commit on the new commit. Get the short hash of the latest commit using git log --oneline and replace YOUR_NEW_COMMIT_HASH below:

git log --oneline

a1b2c3d (HEAD -> master) Add a second message
u1v2w3x Send a message to the future

Now verify the new commit:

git verify-commit YOUR_NEW_COMMIT_HASH

Again, the output will show the commit details but no signature verification status, confirming that this commit is also unsigned.

This step demonstrates that by default, Git commits are not signed. To add a layer of security and trust, you need to explicitly configure Git to sign your commits, which is a more advanced topic we won't cover in this introductory lab. However, understanding how to identify unsigned commits using git log --show-signature and git verify-commit is the first step in working with signed commits.

Summary

In this lab, we learned how to check if Git commits are signed. We started by using the git log --show-signature command to view the signature status of all commits in the project history. This command is crucial for quickly assessing the authenticity of commits.

Next, we explored the git verify-commit command, which allows us to verify the signature of a specific commit using its hash. This is useful for targeted verification. Finally, we tested unsigned commits to understand how they appear when checking for signatures. These steps provide a foundational understanding of how to verify commit authenticity in Git.