Git Commit Signing With JetBrains Space

How to sign commits with JetBrains Space

When using a version control system like Git, being able to explore the commit history is fantastic: you can see who and when made certain changes, and you can piece together how your code base evolves over time. Except, can you be sure the changes really were made by the developer the Git history shows? Anyone who has access to a Git repository can commit changes with any name and email address, so how can the commit history be trusted?

Signing Git commits is a way to ensure the authenticity and integrity of your commits. Doing so lets you prove that a commit was indeed made by you, and that the changes you’ve made to the code base have not been tampered with by anyone else. Other contributors will have peace of mind knowing it really was you, not some wannabe hacker. In addition, you’ll get a cool Verified badge in the commit history.

You can also configure your Git repository host to validate commit signatures when pushing changes. If an invalid signature is detected, or the key used for signing is not linked to a known user, the push can be rejected. This helps you ensure the security, authenticity, and integrity of your Git repository.

In this blog post, we’ll explore what signing Git commits is all about and how JetBrains Space can help you verify Git commit signatures. We’ll also provide some links and resources on how to get started with signing Git commits.

What are Git commit signatures?

When you sign a commit, you use a private key to create a digital signature for the commit. This signature is then attached to the commit and can be verified by anyone who knows your public key.

Signing Git commits helps with two important aspects of the software delivery lifecycle (SDLC):

  • Security – By signing your commits, you can help protect your repository from tampering or modification by unauthorized parties.
  • Authenticity – Git commit signing lets you verify the identity of the person who made the commit, and it helps ensure that the commit is genuine.

To sign Git commits, a GPG (GNU Privacy Guard) key or SSH key is typically used. Historically, GPG keys have been used for signing Git commits, but since Git 2.34, SSH keys can be used, as well. You can use your existing SSH authentication key as a signing key, or you can generate a specific one for commit signatures to make sure Git authentication and commit authenticity use different proof.

How to verify Git commits using JetBrains Space

JetBrains Space is a complete software development platform that lets you host Git repositories and helps teams work together more effectively. One of its features is the ability to verify Git commit authors and signatures.

To configure verification when pushing to a Git repository in Space, go to the repository settings and edit the Push restrictions.

There are several options when it comes to validating commit authors:

  • Verify committer – Checks that the email address associated with the commit matches the person’s email address in Space. This check doesn’t add much in terms of security, but can be enabled to make sure the client is set up properly. For example, it can be used to validate that a company email address is configured, not a personal one.
  • Require commit signature – Allows only commits that have a valid GPG or SSH signature.
  • Verify commit signature – Checks commits for a valid GPG or SSH signature but does not require them. Signed commits with known keys are labeled as Verified, while unsigned commits or commits with invalid signatures are labeled as Unverified. In order to use this option, every committer must upload their GPG or SSH key and configure it in their JetBrains Space profile. Note that Space doesn’t support S/MIME.

A combination of the last two options provides the highest level of security.

Once configured, Space will enforce these settings when pushing to the Git repository. For example, when you configure the Git repository to require a valid signature and try pushing an unsigned commit, it will be rejected:

> git push
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 16 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 273 bytes | 273.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (1/1)
remote: b1f7d0f2b2857e16cd756ed9cdcca938b9aaa597: Commit is not signed
To ssh://
 ! [remote rejected] main -> main (b1f7d0f2b2857e16cd756ed9cdcca938b9aaa597: Commit is not signed)
error: failed to push some refs to 'ssh://'

Commits with a valid signature will be shown as such in the Git commit history in Space. Signed commits will be marked as “Verified”, while unsigned ones will have an “Unverified” label.

If you’re using IntelliJ IDEA or any other JetBrains IDE, signature information is also displayed in the Git tool window. When you are signed in to your Space organization using the bundled Space plugin, the Git log will show you information about the commit, together with its signature verification status.

Seeing that verified badge next to your name is pretty neat, isn’t it?

Setting up Git commit signing with GPG

To set up Git commit signing with GPG signatures, you’ll need both Git and the GPG command-line tool installed. You can run gpg --version in a command prompt to see whether it’s installed.

If GPG is not installed, you can do it manually:

  • On Windows, Git for Windows bundles GPG. You can also install Gpg4win.
  • On Linux, GPG can be installed using your package manager (sudo apt install gnupg on Debian/Ubuntu).
  • On macOS, you can use Homebrew to install GPG (brew install gnupg).

After you have both Git and GPG on your device, you’ll need to generate a GPG key pair by running the following command:

gpg --full-generate-key

When prompted, select a key type, key size, and expiration date. It’s generally recommended to use the default RSA and RSA (default) options, a key size of 4096 bits, and an expiration date of at least 1 year in the future.

The tool will also ask you to enter your name, email address, and a passphrase for your key. The name and email address you enter should match the ones you use for Git.

Once the key pair is generated, you can view your keys by running the following command:

gpg --list-secret-keys --keyid-format=long

From the list of GPG keys, copy the long form of the GPG key ID you’d like to use. This will look something like 32FA0BE4567C9ABC.

To sign commits with your GPG key, you’ll need to tell Git which key to use. You can do this by running the following command, using the GPG key ID you just copied:

git config --global user.signingkey 32FA0BE4567C9ABC

Additionally, if you want to enable Git commit signing by default, run the following command:

git config --global commit.gpgsign true

You’re almost there! Any commit will now be signed using your newly created GPG key. However, you’ll still need to export the public key and make sure Space knows it. To export the public key, run the following command (again substituting the GPG key ID you copied earlier):

gpg --armor --export 32FA0BE4567C9ABC

Copy the entire key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----. This key will need to be added to your profile in JetBrains Space.

That’s it! You’re good to go now, with an additional layer of verification for all your commits.

Note: If you’re using other Git hosts, upload your GPG key using the instructions for GitHub, GitLab, or Bitbucket.

Setting up Git commit signing with SSH

If you want to use an SSH key to sign your Git commits, you’ll also need both Git and the GPG command-line tool installed. See the previous section to learn more about how to install them.

Next, you’ll need to set the gpg.format option to ssh, and set the path to your SSH key with the user.signingkey option. Optionally, you can sign all Git commits by default by setting the commit.gpgsign option as follows:

git config --global gpg.format ssh
git config --global user.signingkey /PATH/TO/YOUR/.SSH/KEY.PUB
git config --global commit.gpgsign true

Make sure to also add your public SSH key to your profile in JetBrains Space.

Tip: If you’re using 1Password, you can use its embedded SSH agent to handle SSH-based authentication and signing for you.

Enable Git commit signing in the IDE

If you’re using an IntelliJ IDEA-based JetBrains IDE, you can enable Git commit signing per project in the IDE. Go to Settings/Preferences in IntelliJ IDEA (or whatever JetBrains IDE you’re using), navigate to Version Control | Git, and then click the Configure GPG key button.

In the dialog that opens, you can toggle commit signing, and choose the signature that the IDE should use when signing your commits:

When enabled, every commit in the IDE will be signed with the selected key. The state of the GPG signature will also be displayed in the Commit details pane in the Git tool window.

In summary

Signing commits is a way to verify the authenticity of a commit in a Git repository. It helps ensure that commits have not been tampered with, and provides a way to verify the identity of the committer.

Git repositories in JetBrains Space let you verify commits when pushing to the repository. There are 3 levels of verification available: verifying just the committer’s email address, requiring a signature, and verifying whether the signature is valid and linked to a known GPG or SSH key. A combination of the second and third options provides the highest level of security, even though it requires that every committer upload their GPG or SSH key and configure it in their Space profile.

Once set up, enjoy the Verified badge for your commits in the Git history, as well as the added security and verification provided by signing commits.

Give it a try with JetBrains Space and let us know how it goes!

image description