I recently got to know about signed commits and they are recommended. We can sign commits locally with git commit -S. After that I read the git man page and there was an option called -s (used as git commit -s) and it said that option signs the commit. When I look up -S it says that it signs the commit with GPG keys.
I am setting up signed commits with GPG keys in GitHub. Does this make a difference when pushing or is it the same when it comes to pushing to remote?
On
The actual description for -s/--signoff is:
Add Signed-off-by line by the committer at the end of the commit log message. The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see http://developercertificate.org/ for more information).
As described, it basically adds a "Signed-off-by:" line at the end of a commit message, like this:
$ git log
commit 172ccc467d2171b645bb55d51146af82ac36d356 (HEAD -> master)
Author: gino <[email protected]>
Date: Sun Nov 15 11:56:10 2020 +0900
Added something
Signed-off-by: gino <[email protected]>
You can read it as "I approved the commit and I take responsibility for it". Its purpose is already well-answered in this related post: What is the Sign Off feature in Git for?. It is a way for projects to assign responsibility to a commit, which, as the accepted answer on that post mentions, is required when the copyright or license of the commit is relevant.
But since it's just a part of the commit message, anyone can just add/edit it, and you can actually just add it yourself by typing it manually or by using commit message templates. You can even put someone else's name/email on there. On Github, it will get treated the same way as any other multi-line commit message:
... and Github will not verify the commit based on the signoff line or show any UI indicators that "this commit has been approved". This is of course a violation of the DCO which is the purpose of the signoff, and there are plugins/bots you can use to enforce it for PRs, like this probot/dco.
The -S/--gpg-sign option, on the other hand, is an actual cryptographic signature, as it uses your GPG key you generated on your machine where you made the commit, and then Github uses your public key that you gave it to verify that the commit indeed came from you (or from a source that has your GPG keys). As the Github docs on signing commits puts it:
Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can trust that the changes come from a trusted source.
If a commit or tag has a signature that cannot be verified, GitHub marks the commit or tag as unverified.
Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified.
Commits signed using -S and correctly verified by Github will show a "Verified" indicator:
Make sure to follow their steps on GPG commit signature verification. Github will use it to:
When verifying a signature, we extract the signature and attempt to parse its key-id. We match the key-id with keys uploaded to GitHub. Until you upload your GPG key to GitHub, we cannot verify your signatures.
As for which one to use, that depends on what you are putting on Github and what is your purpose for "signing commits". I would say that signing with GPG keys makes more sense if you just want to show that it was actually you (or one of your machines/bots) that pushed that commit.
-S(short for--gpg-sign) uses gnupg to sign your commit adding a PGP signature to it. this is a cryptographic signature certifying that the owner of the gpg key, or an actor who has access to it is making that commit / tag-s(short for--signoff) adds "Signed-off-by: Username<Email>" to the end of your commit message. anyone could put this string inside the commit message (so it is not any guarantee of the authorship) but it has been used to uphold copyright. some projects require this for DCO "Developer Certificate of Origin" -- essentially a certification that the developer has certified that they have permission to contribute the code