Configuring commit signing

As a core committer, you have the ability to affect over a million websites. It is a role that requires immense trust. It also means that you are a potential target for social engineering attacks. A malicious actor could impersonate you simply by configuring git to use your name and email. Combined with either compromised access control on Drupal.org or a social engineering scam, this could lead to Drupal core itself being compromised.

One way to mitigate these risks is to sign your commits. GitLab identifies signed commits in the user interface, so if a commit were to appear under your name but without your signature, it would be a clear signal of suspicious activity.

1. If you use MacOS, you may wish to install the GPG suite to add your commit signature to your keychain. Linux users may wish to configure gpg-agent to save their passphrase.
2. Follow GitLab's instructions for creating a GPG key for your committer username and email address. (You may wish to use the preconfigured Drupal.org no-reply address to keep your email private. See the core git configuration instructions for more information.)
3. Follow GitLab's instructions for adding a GPG to your account. Or proceed to your Drupal GitLab user setting page for managing GPG keys.
4. Follow GitLab's instructions for configuring git with your key. Make note of the key ID in the instructions.
5. Follow GitLab's instructions for signing your commits.
6. After making a commit you can confirm that the commit is verified.

Useful commands

To automatically sign all commits in a repository, run:

git config commit.gpgsign true

To automatically sign commits in all repositories, run:

git config --global commit.gpgsign true

You can show your GPG keys by running:

gpg --list-secret-keys --keyid-format LONG

Get the public key for a key by running:

gpg --armor --export [ID]

(where [ID] is the key ID you made note of earlier).