Back in April, Github added support for a long-standing git feature — commit signing. Technically you’ve been able sign commits with -S since git 1.7.9, but there was no UI for it on Github. This update led folks to start automatically signing all commits, but that’s not necessary.

The git tree is a directed acyclic graph — meaning every commit references its parent — and hashed with SHA-1. In practice, this means it’s impossible to change the history of a git repo without rewriting all succeeding commits. Said another way, if you trust the SHA-1 hash of the head of the tree, you can implicitly trust the entire tree.

What does this have to do with signed commits? Well, when you sign a commit, you’re also signing all previous commits. This is one of the reasons that git originally only allowed tags to be signed:

Signing each commit is totally stupid. It just means that you automate it, and you make the signature worth less. It also doesn’t add any real value, since the way the git DAG-chain of SHA1’s work, you only ever need _one_ signature to make all the commits reachable from that one be effectively covered by that one.

You can automatically sign all tags by adding the following to your .gitconfig file:

gpgsign = true

If you don’t tag releases, another good place to sign commits is at the end of a pull request. After a long chain, one signed commit effectively signs the entire branch. You can even add an empty, signed commit with:

git commit --gpg-sign --allow-empty

This way, there’s no need to enter a GPG passphrase for each commit, but only when you need it.