CONCEPT Cited by 1 source
Commit signing¶
Commit signing is the cryptographic attachment of a signature to a Git commit (or tag) that lets verifiers later confirm the commit's contents and/or origin were not tampered with after creation. Git supports three pluggable signer families:
| Format | Git config | Typical use |
|---|---|---|
| GPG (OpenPGP) | gpg.format=openpgp (default) |
individual developers, GitHub's web-flow signing key |
| SSH | gpg.format=ssh |
reuse the SSH identity already used for auth |
| S/MIME (X.509) | gpg.format=x509 + gpg.x509.program=<program> |
enterprise PKI — corporate CAs typically issue X.509 |
The S/MIME path is the one that plugs native into enterprise device-trust X.509 infrastructure: any cert the corporate CA already issues (for device identity, user identity, mTLS, etc.) can be reused to sign commits.
Typical S/MIME signing flow (pre-Figma modifications)¶
- Engineer configures
user.signingkeyto a specific key id in their keystore. git commit -S(orcommit.gpgsign=true) invokes the configured signer program with--status-fd=2 -bsau <user.signingkey>.- Signer program (e.g. systems/smimesign) looks up the key in the OS keystore (Keychain / Cert Store), produces a detached PKCS#7 / CMS signature, prints it on stdout.
- Git stores the signature in the commit object.
What signing attests to¶
- Classic GPG signing: "the holder of key K signed these bytes" — K is typically tied to a human developer identity.
- Device-trust S/MIME signing (Figma pattern): "the device holding cert C signed these bytes" — C is bound to a corporate-managed laptop, rotates frequently, and thus attests hardware origin rather than human identity.
The distinction matters for supply-chain policy: device-trust signing answers "did this code originate on a managed endpoint?" while user signing answers "did the authorised developer authenticate this change?" Both can be combined but address different threats.
Verification surfaces¶
- GitHub UI badge — shows "Verified" for commits signed with keys on the user's GitHub account.
- Custom verifier — policy-specific verification against a specific CA (e.g. Figma's Lambda-based Commit Signature Verification GitHub App) can post a commit status check separate from GitHub's own badge.
Seen in¶
- sources/2026-04-21-figma-enforcing-device-trust-on-code-changes —
Figma uses S/MIME (
gpg.format=x509) with a customised signer (smimesign-figma+ a wrapper script) to sign every Git commit with the machine's device-trust X.509 certificate, then independently verifies signatures via a Lambda-backed GitHub App and gates release-branch merges on the verification status.
Related¶
- concepts/device-trust — the corporate PKI posture that supplies the X.509 certs for S/MIME signing.
- systems/smimesign — GitHub's open-source S/MIME signer.
- patterns/signed-commit-as-device-attestation — the pattern that binds device-trust PKI to supply-chain origin attestation.