using GPG to prove you wrote your code

Posted on
security programming

GPG is cool. You can use GPG to send encrypted messages, sign files to prove you generated them, and sign git commits to prove you committed them. You can get my key here. DigitalOcean has a neat guide to getting started with GPG. It explains asymmetric encryption, key generation and revocation, and key signing and maintenance.

Git commit authorship can be modified by anyone, as demonstrated by this tool. But by uploading your GPG public key to GitHub, you allow anyone who trusts GitHub to be sure that commits marked “verified” were actually created by you.

First, upload your GPG public key to GitHub through the Settings page. Then, tell git about your signing key by following the instructions here.

From now on, add -S to your git invocations that create commits (commit, rebase, etc.), and -s to your git tag invocations. Add "git.enableCommitSigning": true, to your VS Code settings.json so that VS Code signs commits for you. You can even forward your GPG keys to remote SSH sessions.