GitSigned commits đảm bảo commit thực sự từ người có private key tương ứng — chống giả mạo identity (bất kỳ ai cũng có thể set git config user.email thành email của bạn).
Setup GPG signing:
gpg --gen-key
gpg --list-secret-keys --keyid-format=long
# Lấy key ID, ví dụ: 3AA5C34371567BD2
git config --global user.signingkey 3AA5C34371567BD2
git config --global commit.gpgsign true
# Upload public key lên GitHub Settings → SSH and GPG keysSSH signing (mới hơn, dễ hơn GPG):
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign trueGitHub hiển thị badge Verified trên commit khi signature hợp lệ.
Khi nào enforce:
- Regulated industries (fintech, healthcare) — audit trail
- Open source projects — chống supply chain attack (ai đó push code giả tên maintainer)
- Khi GitHub Actions deploy từ commits — đảm bảo chỉ deploy signed commits
Lưu ý: GPG key rotation phức tạp — SSH signing dễ manage hơn cho enterprise.
Signed commits verify that a commit genuinely came from the person holding the matching private key — preventing identity forgery (anyone can set git config user.email to your email).
GPG signing setup:
gpg --gen-key
gpg --list-secret-keys --keyid-format=long
# Get key ID, e.g.: 3AA5C34371567BD2
git config --global user.signingkey 3AA5C34371567BD2
git config --global commit.gpgsign true
# Upload public key to GitHub Settings → SSH and GPG keysSSH signing (newer, easier than GPG):
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign trueGitHub displays a Verified badge on commits with valid signatures.
When to enforce:
- Regulated industries (fintech, healthcare) — audit trail
- Open source projects — prevent supply chain attacks (someone pushing code under a maintainer's name)
- When GitHub Actions deploys from commits — ensure only signed commits trigger deployments
Note: GPG key rotation is complex — SSH signing is easier to manage for enterprise.