LinuxCommandLibrary

git-verify-commit

Verify the GPG signature of a commit

TLDR

Check commits for a GPG signature

$ git verify-commit [commit_hash1 optional_commit_hash2 ...]
copy

Check commits for a GPG signature and show details of each commit
$ git verify-commit [commit_hash1 optional_commit_hash2 ...] [[-v|--verbose]]
copy

Check commits for a GPG signature and print the raw details
$ git verify-commit [commit_hash1 optional_commit_hash2 ...] --raw
copy

SYNOPSIS

git verify-commit [<options>] <commit>...

PARAMETERS

<commit>...
    Specifies the commit objects to verify. Can be commit SHAs, branch names, or other references that resolve to commits.

--raw
    Output the raw GPG status output.

DESCRIPTION

git-verify-commit is a Git plumbing command used to verify the GPG signature of a commit object. It checks the validity of the signature against the committer identity in the commit message. The command will output 'gpg: Good signature' or an error message if the signature is invalid or cannot be verified. This command is crucial for ensuring the integrity and authenticity of commits in a Git repository, contributing to the overall security and trustworthiness of the codebase. It works by extracting the signature from the commit object and then using GPG to verify that the signature matches the content of the commit and the claimed committer.

Usage of this command helps prevent malicious actors from injecting unauthorized changes into a repository by forging commit identities. Verification failures should be considered a sign of potential tampering.

CAVEATS

Requires GPG to be properly configured and available in the system's PATH.
The commit needs to be GPG signed to be verifiable.
Verification relies on having the appropriate public keys in the GPG keyring.

EXIT STATUS

The command exits with a non-zero status if any of the specified commits fail verification. A zero exit status indicates that all commits were successfully verified.

SECURITY CONSIDERATIONS

Always ensure that the GPG keys used for verification are trusted and belong to the expected committer. Do not blindly trust signatures. Verify and understand whom you trust.

HISTORY

git-verify-commit has been a part of Git for a while, evolving alongside Git's support for GPG signing. It emerged as a tool needed to provide a mechanism to cryptographically ensure who is signing each commit. As best practices around code signing has evolved over the years, so has git's support for using GPG and other signing technologies.

SEE ALSO

git-commit(1), git-tag(1), git-verify-tag(1), gpg(1)

Copied to clipboard