git config user.name "Linus Torvalds"
git config user.email "torvalds@linux-foundation.org"
git commit -m "Added backdoor (just kidding)"

Last week, I found something scary. Anyone can pretend to be you on GitHub. They can commit code using your name. They don’t need your password. They don’t need any permission.

Look at this:

git config user.name "Linus Torvalds"
git config user.email "torvalds@linux-foundation.org"
git commit -m "Added backdoor (just kidding)"

You just committed code as Linus Torvalds. Yes, it’s that easy.

This is not a bug. Git was designed this way. But now we have a problem. Hackers can attack our code. Companies need to verify who wrote what. We need better security.

I will show you how to fix this. You will learn how to sign your commits with GPG. You will learn other security tips too. Let’s start.

---

🚨 The Problem: Anyone Can Fake Your Identity in Git

Why This Is Bad

Git trusts whatever name you give it. This creates problems:

• Fake identity: Someone can write bad code using your name
• No proof: Companies can’t prove who wrote the code
• Open source risk: Project owners can’t verify who is contributing
• Legal trouble: You might get blamed for code you didn’t write

What Happened Before

In 2021, some researchers tried to add bad code to Linux. They used fake names. The Linux team found out. They banned the whole university from contributing.

This showed us something important. We need a way to prove who wrote the code.

---

✅ Solution: Sign Your Commits with GPG

What is GPG?

GPG is a tool. It uses math to prove your identity. Think of it like a signature on a paper document. But this signature is digital. No one can fake it.

Here’s how it works:

1. You create two keys. One is public. One is private.
2. You sign your commit with your private key.
3. GitHub checks your signature with your public key.
4. If it matches, GitHub shows a “Verified” badge.

How to Set It Up

I will show you every step. Follow along.

📦 Step 1: Install GPG

First, you need to install GPG on your computer.

If you use macOS:

brew install gnupg

If you use Ubuntu or Debian:

sudo apt-get install gnupg

If you use Windows:

You can download it from gnupg.org. Or you can use this command:

choco install gnupg

Now check if it works:

gpg --version

You should see the version number.

🔑 Step 2: Create Your GPG Key

Now you will create your key. Run this command:

gpg --full-generate-key

The program will ask you some questions. Here’s what to choose:

• Key type: Choose option 1 (RSA and RSA)
• Key size: Type 4096 (this is the most secure)
• How long is it valid: Type 1y (one year is good)
• Your name: Type your real name
• Your email: Type your GitHub email
• Password: Choose a strong password

You will see something like this:

gpg: key 3AA5C34371567BD2 marked as ultimately trusted
gpg: revocation certificate stored as '/Users/you/.gnupg/openpgp-revocs.d/...'
public and secret key created and signed.

pub   rsa4096 2025-11-07 [SC] [expires: 2026-11-07]
4AE12B7F3D8C9E6A5B4C1D2E3AA5C34371567BD2
uid                      Your Name <your.email@example.com>
sub   rsa4096 2025-11-07 [E] [expires: 2026-11-07]

Save that key ID. You will need it. In this example, the key ID is 3AA5C34371567BD2.

⚙️ Step 3: Tell Git to Use Your Key

First, find your key ID. Run this:

gpg --list-secret-keys --keyid-format=long

You will see:

sec   rsa4096/3AA5C34371567BD2 2025-11-07 [SC] [expires: 2026-11-07]
4AE12B7F3D8C9E6A5B4C1D2E3AA5C34371567BD2
uid                 [ultimate] Your Name <your.email@example.com>

Now tell Git to use this key. Replace 3AA5C34371567BD2 with your key ID:

# Set your signing key
git config --global user.signingkey 3AA5C34371567BD2

# Sign all commits automatically
git config --global commit.gpgsign true

# Sign all tags too
git config --global tag.gpgsign true

Windows users need one more step:

git config --global gpg.program "C:/Program Files (x86)/GnuPG/bin/gpg.exe"

This tells Git where to find GPG.

🌐 Step 4: Add Your Key to GitHub

Now you need to give GitHub your public key. First, export it:

gpg --armor --export 3AA5C34371567BD2

You will see something like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGcsh...
[lots of random letters and numbers]
...=abcd
-----END PGP PUBLIC KEY BLOCK-----

Copy everything. Include the BEGIN and END lines.

Now go to GitHub:

1. Open GitHub Settings → SSH and GPG keys
2. Click “New GPG key”
3. Paste your public key
4. Click “Add GPG key”

Done!

✨ Step 5: Test It

Let’s make a signed commit. Try this:

# Create a test file
echo "# Signed Commit Test" > README.md
git add README.md
git commit -m "My first signed commit!"

Now check if it worked:

git log --show-signature -1

You should see:

commit abc123... (HEAD -> main)
gpg: Signature made Fri Nov  7 09:28:00 2025 CST
gpg: Good signature from "Your Name <your.email@example.com>" [ultimate]
Author: Your Name <your.email@example.com>
Date:   Fri Nov 7 09:28:00 2025 +0800

My first signed commit!

Push to GitHub. You will see a green “Verified” badge. You did it!

---

🔧 Common Problems and How to Fix Them

Problem 1: “gpg failed to sign the data”

This is the most common error. Here’s how to fix it.

First, test GPG directly:

echo "test" | gpg --clearsign

If this doesn’t work, your GPG agent is not running. Start it:

gpgconf --launch gpg-agent

If it still doesn’t work, restart it:

gpgconf --kill gpg-agent
gpgconf --launch gpg-agent

Second, set up your terminal:

If you use macOS or Linux, add this to your shell config file. Open ~/.bashrc or ~/.zshrc and add:

export GPG_TTY=$(tty)

Save the file. Then run:

source ~/.bashrc

Now try again.

Problem 2: “No secret key”

This means you’re using the wrong key ID. Check your keys again:

gpg --list-secret-keys --keyid-format=long

Find the right key ID. Update your Git config:

git config --global user.signingkey YOUR_CORRECT_KEY_ID

Problem 3: GPG Asks for Password Every Time

This is annoying. Here’s how to fix it.

On macOS:

Install GPG Suite. It works with your Keychain:

brew install --cask gpg-suite

On Linux:

Edit your GPG config. Open this file:

nano ~/.gnupg/gpg-agent.conf

Add these lines:

default-cache-ttl 34560000
max-cache-ttl 34560000

Save the file. Reload GPG:

gpg-connect-agent reloadagent /bye

Now GPG will remember your password for a long time.

---

🔐 Other Ways to Keep Your Git Safe

2. Use SSH Keys

SSH keys are another way to prove your identity. They work with GitHub connections.

Create an SSH key:

ssh-keygen -t ed25519 -C "your.email@example.com"

This creates a new key. The program will ask where to save it. Press Enter for the default location.

It will ask for a password. Choose a good one.

Now add it to GitHub:

1. Copy your public key:

cat ~/.ssh/id_ed25519.pub

1. Go to GitHub Settings → SSH and GPG keys
2. Click “New SSH key”
3. Paste your key
4. Click “Add SSH key”

Test it:

ssh -T git@github.com

You should see a welcome message.

3. Turn On Vigilant Mode

GitHub has a feature called Vigilant Mode. It shows which commits are signed and which are not.

Go to GitHub Settings. Find “Vigilant mode”. Check the box that says “Flag unsigned commits as unverified”.

Now all your unsigned commits will show a warning.

4. Don’t Save Passwords in Git Config

Never put passwords in your Git config file. This is dangerous.

Bad way:

# Don't do this!
git config user.password "secret123"

Good way - use a credential helper:

# On macOS
git config --global credential.helper osxkeychain

# On Windows
git config --global credential.helper manager

# On Linux
git config --global credential.helper cache

These tools save your passwords safely.

5. Set Up Branch Protection

If you manage a repository, you can force everyone to sign commits.

Go to your repo settings. Click “Branches”. Add a rule. Check these boxes:

• Require signed commits
• Require pull request reviews
• Require status checks to pass

Now no one can push unsigned commits.

---

🛠️ Useful Tools

1. Pre-commit Hooks

Pre-commit hooks check your code before you commit. They can find security problems.

Install it:

pip install pre-commit

Create a config file. Make a new file called .pre-commit-config.yaml:

repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks:
- id: gitleaks

- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: check-added-large-files
- id: detect-private-key

Install the hooks:

pre-commit install

Now it will check your commits automatically.

2. Git-secrets

Git-secrets stops you from committing passwords or API keys.

Install it:

# On macOS
brew install git-secrets

# On other systems, get it from:
# https://github.com/awslabs/git-secrets

Set it up in your repo:

cd your-repo
git secrets --install
git secrets --register-aws

Now it will block commits that contain secrets.

3. Check Signatures in CI/CD

You can check commit signatures automatically. Here’s a GitHub Actions example.

Create a file at .github/workflows/verify-commits.yml:

name: Verify Signed Commits

on: [push, pull_request]

jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Check commit signatures
run: |
for commit in $(git rev-list ${{ github.event.before }}..${{ github.sha }}); do
if ! git verify-commit $commit 2>/dev/null; then
echo "Error: Unsigned commit found: $commit"
exit 1
fi
done
echo "Success: All commits are signed"

This checks every commit in your pull request.

4. Hardware Keys (YubiKey)

If you want maximum security, you can use a hardware key. A YubiKey is a physical device. It stores your GPG key.

Here’s how to move your key to a YubiKey:

gpg --edit-key 3AA5C34371567BD2
> keytocard

Now your private key lives on the device. No one can steal it from your computer.

---

📊 Signed vs Unsigned Commits

Here’s a quick comparison:

What You Get	Without Signing	With GPG Signing
Proof of identity	No	Yes
Tamper protection	No	Yes
GitHub badge	“Unverified” warning	Green “Verified” badge
Good for compliance	No	Yes
Time to set up	0 minutes	10 minutes
Daily effort	None	None (automatic)

---

📚 More Resources

Here are some helpful links:

• GitHub Docs: Signing Commits
• Git Book: Signing Your Work
• GPG Cheat Sheet

---

Why This Matters

Git was built a long time ago. Back then, people trusted each other. Now we have hackers. We have supply chain attacks. We need better security.

The good news is that fixing this is easy. You spend 10 minutes now. You get security forever.

You learned a lot today:

• Why Git identity can be faked
• How to set up GPG signing step by step
• How to fix common problems
• Other security tips
• Tools that help you

Now you know how to protect yourself. Your next commit should be signed. Your code will be more secure.

---

Have questions? I read every comment. Let’s make Git more secure together.