larsks larsks - 3 months ago 12
Git Question

Verifying signed git commits?

With newer versions of

git
it's possible to sign individual commits (in addition to tags) with a PGP key:

git commit -m "some message" -S


And you can show these signatures in the output of
git log
with the
--show-signature
option:

$ git log --show-signature
commit 93bd0a7529ef347f8dbca7efde43f7e99ab89515
gpg: Signature made Fri 28 Jun 2013 02:28:41 PM EDT using RSA key ID AC1964A8
gpg: Good signature from "Lars Kellogg-Stedman <lars@seas.harvard.edu>"
Author: Lars Kellogg-Stedman <lars@seas.harvard.edu>
Date: Fri Jun 28 14:28:41 2013 -0400

this is a test


But is there a way to programatically verify the signature on a given commit other than by grepping the output of
git log
? I'm looking for the commit equivalent of
git tag -v
-- something that will provide an exit code indicating whether or not there was a valid signature on a given commit.

Answer

Just in case someone comes to this page through a search engine, like I did: New tools have been made available in the two years since the question was posted: There are now git commands for this task: git verify-commit and git verify-tag can be used to verify commits and tags, respectively.

Comments