With the rise of supply chain attacks and unauthorized code changes, ensuring the integrity of code repositories has become a top priority for teams and organizations. One powerful way to secure your Git workflow is by using PGP (Pretty Good Privacy) keys.

This article explains why PGP keys are essential for Git security, explores their role in preventing spoofing attacks, highlights a real-world example with the Linux kernel, and provides a step-by-step tutorial to help you get started.

Why Use PGP Keys with Git?

PGP keys allow developers to digitally sign their commits and tags in Git, adding an extra layer of security and authenticity. Here’s why it matters:

1. Verifies Code Authenticity

PGP signatures confirm that commits or tags come from verified authors. This prevents attackers from impersonating developers and making unauthorized changes.

2. Ensures Code Integrity

Signatures guarantee that the content of a commit or tag has not been tampered with after it was signed. This protects against man-in-the-middle (MITM) attacks or accidental modifications.

3. Mitigates Supply Chain Attacks

Recent attacks have shown how vulnerable the software supply chain can be. Signed commits prevent malicious code injection by enforcing stricter identity verification.

4. Prevents Spoofing Attacks

Spoofing attacks involve an attacker masquerading as a legitimate user to deceive others. In the context of Git:

  • Commit Spoofing: An attacker could create commits that appear to come from a trusted developer, introducing malicious code.
  • Tag Spoofing: An attacker might create or alter tags to misrepresent release versions, leading users to download compromised software.

How PGP Helps:

  • Authenticity Verification: PGP signatures ensure that only the legitimate owner of a PGP key can sign commits and tags. This makes it exceedingly difficult for attackers to spoof identities.
  • Detection of Unauthorized Changes: Even if an attacker manages to create a commit or tag, without the correct PGP signature, it will be flagged as untrusted or invalid.

5. Builds Trust in Open-Source Projects

For open-source repositories, PGP keys enable maintainers to verify contributors, ensuring only trusted users can submit code.

6. Compliance and Audit Requirements

Many organizations need audit trails for compliance standards like SOC 2 or ISO 27001. Signed commits provide a verifiable history of changes, improving auditability.

Real-World Example: Linux Kernel’s Use of PGP Keys

One of the most prominent examples of PGP key usage in Git repositories is the Linux Kernel. The Linux development community places a high emphasis on security and integrity, making it an ideal case study.

Why the Linux Kernel Uses PGP Keys

  1. Trusted Releases:
    • The Linux Kernel team uses PGP-signed tags for their official releases. This ensures that when users download a kernel version, they can verify it was indeed released by the trusted maintainers.
  2. Preventing Unauthorized Changes:
    • By signing tags, the Linux project ensures that any attempt to modify release versions without proper authorization is easily detectable.
  3. Maintaining Developer Trust:
    • With contributions coming from a vast number of developers worldwide, PGP signatures help maintain trust in the authenticity of each contribution.

How It Works

  1. Signing Releases:
    • When a new version of the Linux Kernel is released, maintainers create a Git tag and sign it using their PGP keys: 
      git tag -s v5.15 -m "Linux Kernel version 5.15"
  2. Verification by Users:
    • Users who download the kernel can verify the signature to ensure it hasn’t been tampered with: 
      git tag -v v5.15

      This command checks the tag’s signature against the maintainers’ public PGP keys.

  3. Trust in Distribution Channels:
    • Package maintainers and distribution platforms rely on these signatures to authenticate kernel releases before deploying them to users.

Impact

By implementing PGP-signed tags, the Linux Kernel project significantly reduces the risk of spoofing attacks and ensures that users receive authentic, untampered code. This practice has set a standard in the open-source community, encouraging other projects to adopt similar security measures.

Getting Started: A Step-by-Step Guide to Using PGP Keys with Git

Now that you understand the importance of PGP keys, including their role in preventing spoofing attacks and safeguarding critical projects like the Linux Kernel, let’s walk through how to configure them in Git.

Step 1: Generate a PGP Key Pair

Install GnuPG (GPG) if it’s not already installed:

sudo apt install gnupg    # Ubuntu/Debian
brew install gnupg        # macOS

Generate a new PGP key:

gpg --full-generate-key

1.	Key type: Select (1) RSA and RSA.
2.	Key size: Enter 4096 bits for stronger security.
3.	Expiration date: Choose an expiration or set it to never expire.
4.	User ID: Provide your name and email address.
5.	Passphrase: Create a secure passphrase to protect your private key.

Step 2: List and Copy Your Public Key

Find your key’s ID:

gpg --list-secret-keys --keyid-format=long

Example output:

sec   rsa4096/ABC123DEF4567890 2023-12-01 [SC]
      uid   John Doe <john.doe@example.com>

Export the public key:

gpg --armor --export john.doe@example.com > public_key.asc

Step 3: Configure Git to Use Your PGP Key

Tell Git to use your key:

git config --global user.signingkey ABC123DEF4567890

Enable automatic signing for commits:

git config --global commit.gpgsign true

(Optional) Enable signing for tags:

git config --global tag.gpgSign true

Step 4: Sign a Commit or Tag

Sign a commit:

git commit -S -m "Signed commit"

Sign a tag:

git tag -s v1.0.0 -m "Signed version 1.0.0"

Verify a signature:

git log --show-signature

Step 5: Publish Your Public Key to a Remote Repository

GitHub

  1. Go to Settings → SSH and GPG Keys.
  2. Click New GPG Key and paste your public key:
cat public_key.asc
  1. Save the key.

GitLab

  1. Go to Settings → GPG Keys.
  2. Paste your public key.
  3. Add the key.

Step 6: Enforce Signed Commits on Remote Repositories

GitHub (Branch Protection Rules)

  1. Go to your repository’s Settings → Branches.
  2. Add a branch protection rule for main or master.
  3. Enable Require signed commits.
  4. Save the changes.

Now, unsigned commits will be rejected when pushed to protected branches.

GitLab and Bitbucket

Use CI/CD pipelines to enforce signature verification as part of the build process.

Example (GitLab):

stages:
  - verify

verify_signatures:
  stage: verify
  image: alpine
  before_script:
    - apk add --no-cache gnupg
  script:
    - git log --show-signature

Best Practices for Managing PGP Keys

Revocation Certificate: Generate a revocation certificate in case your key is lost or compromised:

gpg --gen-revoke YOUR_KEY_ID > revoke.asc
  • Backup Keys Securely: Store backups in encrypted storage or hardware security modules (HSM).
  • Rotate Keys Regularly: Update keys periodically or whenever a team member leaves the organization.
  • Use Hardware Tokens (YubiKey): Secure your private key on a hardware device for added protection.

Final Thoughts

In an era where security breaches are on the rise, PGP-signed commits and tags provide a robust mechanism to safeguard your Git repositories. Whether you’re working in open source, enterprise software, or collaborative projects, adopting PGP keys enhances both security and trust in your development process.

By following the tutorial above, you can start signing your commits today and enable verification workflows to protect your codebase from tampering and unauthorized changes. Additionally, understanding the role of PGP keys in preventing spoofing attacks and observing real-world implementations like the Linux Kernel underscores their vital importance in maintaining secure and trustworthy software development practices.

Secure your Git workflow—sign your code, protect your projects, and build trust!

Where to Go from Here

To further enhance your understanding and implementation of PGP keys with Git, explore the following resources:

Official Documentation

Tutorials and Guides

Tools and Integrations

  • Git Hooks: Customize Git behavior with hooks to enforce signature policies.

Community and Support

Additional Reading

  • Pro Git Book: An extensive resource covering all aspects of Git, including security features.

Security Tools

  • Black Duck: Tools for managing open-source security, including signature verification.
  • Snyk: Developer-friendly security tools that integrate with Git repositories to monitor for vulnerabilities.