🔐 Git Security & Authentication: Your Code’s Bodyguards
Analogy: Think of Git security like protecting your house. You need keys to get in (credentials), a special secret handshake (SSH), and a signature to prove it’s really you (commit signing). Let’s build your security fortress!
🏠 The Story: Meet Your Security Guards
Imagine you have a treasure chest (your code repository). You need:
- A doorman who remembers your face (Credential Helpers)
- A secret tunnel only you can use (SSH Keys)
- Your royal seal on every letter (Commit Signing)
- A way to check if the seal is real (Verifying Signatures)
Let’s meet each guard!
1️⃣ Credential Helpers: The Doorman Who Remembers You
What’s the Problem?
Every time you talk to GitHub, you need to prove who you are. Typing your password 100 times a day? No thank you!
What is a Credential Helper?
It’s like a friendly doorman who remembers your face. After you show your ID once, he lets you in without asking again!
How It Works
graph TD A["You type password once"] --> B["Credential Helper saves it"] B --> C["Next time: automatic entry!"] C --> D["No more typing passwords"]
Setting Up Your Doorman
Option 1: Remember for 15 minutes (Cache)
git config --global \
credential.helper cache
Option 2: Remember forever (Store)
git config --global \
credential.helper store
Option 3: Use your computer’s safe (Recommended!)
On Mac:
git config --global \
credential.helper osxkeychain
On Windows:
git config --global \
credential.helper manager
🎯 Simple Example
# Set up the helper
git config --global \
credential.helper store
# First push: enter password
git push origin main
# Enter username: yourname
# Enter password: ****
# Second push: no password needed!
git push origin main
# ✅ Just works!
⚠️ Safety Tip
store saves passwords in plain text. Use osxkeychain (Mac) or manager (Windows) for better security!
2️⃣ SSH Keys: Your Secret Tunnel
What’s the Problem?
Passwords can be guessed or stolen. What if you had a secret tunnel that only YOU could use?
What is SSH?
SSH stands for Secure Shell. It creates a secret tunnel between your computer and GitHub using two special keys:
- Private Key = Your secret key (NEVER share!)
- Public Key = A lock that only your key opens (share this!)
The Lock and Key Story
graph TD A["🔑 Private Key"] --> B["Lives on YOUR computer"] C["🔒 Public Key"] --> D["Lives on GitHub"] B --> E["They match!"] D --> E E --> F["✅ Secret tunnel opens"]
Creating Your Keys
Step 1: Generate the key pair
ssh-keygen -t ed25519 \
-C "your.email@example.com"
You’ll see:
Enter file: (press Enter)
Enter passphrase: ****
Step 2: Start the SSH agent
eval "$(ssh-agent -s)"
Step 3: Add your key
ssh-add ~/.ssh/id_ed25519
Step 4: Copy your public key
cat ~/.ssh/id_ed25519.pub
Step 5: Add to GitHub
- Go to GitHub → Settings
- Click “SSH and GPG keys”
- Click “New SSH key”
- Paste your public key
🎯 Test Your Tunnel
ssh -T git@github.com
Success message:
Hi yourname! You've successfully
authenticated!
💡 Pro Tip
Add a passphrase to your key! It’s like having a password for your password. Extra safe!
3️⃣ Commit Signing: Your Royal Seal
What’s the Problem?
Anyone can pretend to be you in Git! They just set your name and email. How do you prove a commit is really from you?
What is Commit Signing?
It’s like putting a wax seal on a letter. Only YOU have the seal stamp, so everyone knows it’s authentic!
graph TD A["Your Commit"] --> B["Add GPG Signature"] B --> C["🔏 Sealed Commit"] C --> D["GitHub shows 'Verified' ✅"]
Setting Up Your Seal (GPG Key)
Step 1: Create your GPG key
gpg --full-generate-key
Choose:
- Kind: RSA and RSA
- Size: 4096
- Expires: 0 (never)
- Name: Your Name
- Email: your@email.com
Step 2: Find your key ID
gpg --list-secret-keys \
--keyid-format=long
Look for the ID after sec rsa4096/:
sec rsa4096/ABC123DEF456
Step 3: Tell Git to use it
git config --global \
user.signingkey ABC123DEF456
Step 4: Sign commits automatically
git config --global \
commit.gpgsign true
Step 5: Add to GitHub
gpg --armor \
--export ABC123DEF456
Copy the output and paste in: GitHub → Settings → SSH and GPG keys → New GPG key
🎯 Signing a Commit
# Automatic (if commit.gpgsign=true)
git commit -m "My signed commit"
# Or manually with -S flag
git commit -S -m "My signed commit"
What You’ll See on GitHub
Your commit will show: Verified ✅
This tells everyone: “Yes, this is really from the person who owns this GPG key!”
4️⃣ Verifying Signed Commits: Checking the Seal
Why Verify?
If someone can sign commits, we need a way to check if the signature is real!
How to Verify
Check one commit:
git verify-commit HEAD
Check all commits in log:
git log --show-signature
Check only signed commits:
git log --show-signature \
| grep "Good signature"
What Good Looks Like
$ git verify-commit HEAD
gpg: Signature made Mon Dec 2
gpg: using RSA key ABC123...
gpg: Good signature from
"Your Name <you@email.com>"
What Bad Looks Like
$ git verify-commit HEAD
gpg: Signature made Mon Dec 2
gpg: BAD signature from
"Fake Person <fake@email.com>"
🎯 Real Example
# See all commits with signatures
git log --pretty=format:"%h %G? %s"
# Output:
# a1b2c3d G Fix bug (Good sig)
# d4e5f6g N Add feature (No sig)
# g7h8i9j B Oops (Bad sig!)
The letters mean:
- G = Good signature ✅
- N = No signature ⚠️
- B = Bad signature ❌
🎯 Quick Summary
| Guard | What It Does | Command |
|---|---|---|
| Credential Helper | Remembers passwords | git config credential.helper |
| SSH Keys | Secret tunnel access | ssh-keygen |
| Commit Signing | Proves it’s you | git commit -S |
| Verify Commits | Checks signatures | git verify-commit |
🚀 Your Security Journey
graph TD A["😰 Typing passwords daily"] --> B["Set up Credential Helper"] B --> C["😊 Passwords remembered"] C --> D["Create SSH Keys"] D --> E["🔐 Secure tunnel active"] E --> F["Set up GPG Signing"] F --> G["✅ Commits verified"] G --> H["🏆 Security Champion!"]
💡 Final Tips
- Start with Credential Helper - Easiest win!
- SSH Keys are safer than passwords
- Sign important commits on shared projects
- Verify before merging untrusted code
You now have four powerful guards protecting your code. Your repository is a fortress! 🏰
Remember: Security isn’t about being paranoid. It’s about being smart!