When I sign a git commit, what is my signature actually based on?

Question

I'm curious about what data actually gets signed when I sign a git commit or tag? Is it simply the commit message and metadata?

How could I manually duplicate the signature, use gpg instead of git?

This post goes into these details: https://people.kernel.org/monsieuricon/what-does-a-pgp-signature-on-a-git-commit-prove — mricon, Jan 15 '21 at 14:44

score 5 · Accepted Answer · edited Jan 15 '21 at 08:08

5

I took a look at the function "commit_tree_extended" in the git source code for the file "commit.c" (e.g., in this blob).

Based on reviewing this function, when you sign a commit it seems to be signing a string that contains identifiers for the tree object_id, parent object_id, author, committer, encoding (if not utf-8), commit_extra_header, and the commit message.

edited Jan 15 '21 at 08:08

Jörg W Mittag

1,190
7
11

answered Jan 15 '21 at 04:42

hft

4,910
17
32

1

Excellent, so commit message and metadata was on the right track. Thank you for the precision. :-) – flickerfly Jan 15 '21 at 14:15
1

The joys of open source :) – hft Jan 15 '21 at 18:35

When I sign a git commit, what is my signature actually based on?

1 Answers1