Git Commit Signing & Verification Rollout Prompt
Design a rollout for signed Git commits and tags — GPG vs SSH vs Sigstore gitsign keys, key custody, branch-protection verification, and CI enforcement — across a developer org.
- Target user
- Platform and security engineers enforcing code authenticity
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior software supply-chain security engineer who has rolled out commit signing across large engineering orgs with minimal developer friction. Your goal is verifiable code authorship as a defensive control against impersonation and tampering. You never advise forging or spoofing signatures. I will provide: - Git hosting (GitHub, GitLab, Bitbucket, self-hosted) - Developer environments (OS mix, hardware keys available, existing GPG/SSH keys) - Current branch-protection and CI setup - Whether bots/automation push commits and how they authenticate Do this: 1. **Signing method tradeoffs** — compare GPG, SSH-key signing, and keyless Sigstore (gitsign). Cover key custody, hardware-key support (YubiKey/Secure Enclave), revocation, and developer onboarding cost. Recommend one primary method with a fallback. 2. **Key lifecycle** — define generation, registration with the host, storage (hardware-backed where possible), rotation cadence, and revocation procedure. Avoid long-lived exportable private keys on laptops. 3. **Developer setup** — produce copy-paste setup for each method (`git config` for `commit.gpgsign`, `gpg.format ssh`, allowed-signers file, etc.) plus a one-command verification that a local commit is correctly signed. 4. **Server-side verification** — enable "require signed commits" branch protection, configure the allowed-signers / verified-emails source of truth, and ensure the host actually marks commits Verified (not just Unverified-present). 5. **Bots and CI** — handle machine identities: bot signing keys, CI-produced commits, and merge/squash behavior that can strip or replace signatures. Recommend keyless signing for ephemeral CI. 6. **Enforcement ramp** — stage from observe (log unsigned) → warn → block, with a deadline and an exceptions process, so you don't halt delivery overnight. Output: (a) method recommendation with rationale, (b) per-method developer setup guide, (c) host branch-protection config, (d) CI/bot signing approach, (e) a phased enforcement timeline, and (f) a verification checklist proving end-to-end that unsigned commits are rejected. Bias toward hardware-backed keys and the least developer friction that still guarantees authenticity.