Signing commits is not bureaucracy: it is the integrity of the author and history. When an incident occurs, knowing who approved and who integrated a change is no longer optional.

Guided practical case

Team of 8 people, two critical repos and quarterly audit requirement. Current problem:

  • commits without verifiable author,
  • squash merges without clear PR reference,
  • difficulty reconstructing decisions in incidents.

Plan in 3 phases:

  1. mandatory signature on protected branches,
  2. message convention + reference to issue/PR,
  3. CI rules to reject unverified commits.

Base configuration

Signing with SSH (simple and portable):

git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true

Quick check:

git log --show-signature -1

Traceability policy that does work

  • Every commit in main enters via PR.
  • Each PR reference issue (Closes #123) and risk context.
  • Merges maintain a relationship with PR and author (avoid opaque flows).
  • Hook/CI validates commit convention + verified signature.

Actionable checklist

  • Activate commit signing for the entire team
  • Block merge of unverified commits on protected branches
  • Define commit convention and mandatory reference to issue/PR
  • Train the team in git log --show-signature
  • Audit each sprint a sampling of end-to-end traceability

Happy reading! ☕

Related Articles

Firma de commits y trazabilidad en equipos sin friccionComo implementar firma de commits y politicas de trazabilidad que mejoran auditoria y confianza sin frenar al equipo.
gitsecurity
Git with Multiple SSH Accounts Without ConflictsClean setup for personal and work Git identities using multiple SSH keys without authentication mistakes.
gitsecurity
Git con multiples cuentas SSH sin conflictosConfigura varias cuentas Git con SSH de forma limpia y mantenible para trabajar personal y corporativo sin errores de identidad.
gitsecurity

Comments