🔐 Git: Ensuring the integrity and authenticity of history

on September 6, 2025

Git isn't just a version control system. It's also a traceability system designed to ensure that a project's history is both tamper-proof and authenticated.

Two main mechanisms ensure this reliability:

  • SHAs → integrity of content and metadata
  • GPG signatures → authenticity of the author and releases

🔑 SHAs: immutable fingerprints

Each commit is identified by a SHA-1 (40 hexadecimal characters). This hash is generated from:

  • the project tree
  • the parent commit
  • the files (blobs)
  • the metadata (author, date, message)

Example :

commit a3f5c9d1e0b8f43c94c2f7d8c1e6a2b8f76d1234

Author: Alice<[email protected]> Date: Thu Sep 5 12:34:56 2024 +0200

Fix parser edge case

Properties

  • Immutability: A change in content results in a new SHA.
  • Dependency chain: Each commit references its parent → changing an old commit would invalidate the entire series.
  • Reliable audit: Ability to compare two specific states of the project.

Useful Commands

git log --oneline --graph --decorate
# Condensed history git show<sha>
# Details of a git diff commit<sha1> ..<sha2>
# Compare two commits git cat-file -p<sha>
# Inspect internal objects

🛡️ GPG Signatures: Authenticate the Author

SHA guarantees data integrity. But it doesn't prove who produced a commit or tag.

Git allows adding a cryptographic signature via GPG.

Configuration

# Generating a gpg key --full-generate-key
# Identify your gpg key --list-secret-keys --keyid-format=long
# Configure Git git config --global user.signingkey<KEYID> git config --global commit.gpgsign true

Usage

# Commit signed git commit -S -m "Fix bug in parser"
# Tag signed git tag -s v2.0.0 -m "Release 2.0.0"

Verification

# Import the gpg public key --keyserver pgp.mit.edu --recv-keys<PUBKEYID>
# Check a tag git tag -v v2.0.0
# View the signature of a commit or tag git show --show-signature<ref>

Expected release:

gpg: Good signature from "Alice<[email protected]> "

Interest

  • Protection against identity theft. * Verification of the authenticity of releases (signed tags). * Possible integration into CI/CD pipelines (git verify-commit, git verify-tag).

📌 Best practices

  • Enable default signing for your commits: bash git config --global commit.gpgsign true
  • Always sign official releases with git tag -s.
  • Publish your public key on a server or directly in GitHub/GitLab to allow verification by your collaborators.
  • Integrate automatic verification into your CI/CD workflows to reject unsigned code.

🚀 Conclusion

Using SHAs, Git ensures the integrity of the history. Using GPG signatures, it guarantees its authenticity.

Two complementary mechanisms that make Git a reliable tool, not only for collaboration, but also for securing the software chain.

🎁 I offer free 30-minute coaching sessions to help creators like you automate their processes and save time ⏱️

👉 Book your free session here: https://www.bonzai.pro/matyo91/lp/4471/je-taide-a-automatiser-tes-process

Thank you for reading! Let's create smart, fast, and automated workflows together 💻⚡