Gitsign implements keyless Sigstore to sign Git commits with a valid OpenID Connect identity. In practice, that means you won’t need GPG keys and a complicated setup in order to sign your Git commits. After installing and configuring Gitsign within your project and signing your commits, you will be redirected to a browser window to authenticate with a supported OpenID provider, such as GitHub or Google. Signing details will then be stored in Rekor for subsequent verification.
Gitsign can be installed via the Go installer, with Homebrew, or with one of the
package installers available on the project
releases page. These include
.rpm formats for Debian and Fedora systems, respectively. Check the
installation page for more details on how to get
Gitsign installed on your system.
Once configured, you can sign commits as usual with
git commit -S (or
git config --global commit.gpgsign true to enable signing for all commits).
$ git commit Your browser will now be opened to: https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&... [main 040b9af] Signed commit
This will redirect you through the Sigstore Keyless flow to authenticate and sign the commit.
Commits can then be verified using
$ git verify-commit HEAD tlog index: 2801760 gitsign: Signature made using certificate ID 0xf805288664f2e851dcb34e6a03b1a5232eb574ae | CN=sigstore-intermediate,O=sigstore.dev gitsign: Good signature from [firstname.lastname@example.org] Validated Git signature: true Validated Rekor entry: true