Replies: 26 comments 8 replies
This comment was marked as off-topic.
This comment was marked as off-topic.
-
Great resources |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
Okay this looks fantastic!! for an small file it works! but how do I sent a proper file, like for instance a YAML in the payload for creating a blob? |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
Hi @loujr , how can we use this when we don't control the commit? Like when using Lerna or Semantic Release for automatic versioning and changelog.md changes? This is done by the tool. We checkout the repo by using a token generated by a GitHub App, but how do we make those commits verified? Now we have added the GitHub App to the bypass list (because we force verified commits). |
Beta Was this translation helpful? Give feedback.
-
just to make it clear - the sha value you are sending on the 3rd step should have been |
Beta Was this translation helpful? Give feedback.
-
Hello is it possible to push signed commit with a github app installation token using the git CLI? I'll like to be able to run |
Beta Was this translation helpful? Give feedback.
-
Hello, I'm having trouble reproducing this for GitHub enterprise instances. Has anyone tried this approach with a GitHub enterprise instance. I noticed for GitHub.com, the committer information for the created commit looks like the above: "committer": {
"name": "GitHub",
"email": "noreply@github.com",
"date": "2023-03-06T19:01:13Z"
} and the created commit is verified. However, on GitHub Enterprise, it looks a bit different, and the created commit isn't verified. |
Beta Was this translation helpful? Give feedback.
-
I just wanted to note for future readers, if you are using the email address for the GitHub App for other processes, there is a format you have to use:
That ID ( You can get the user ID of the app via the the API using one of these:
|
Beta Was this translation helpful? Give feedback.
-
Preciso entrar wi fi |
Beta Was this translation helpful? Give feedback.
-
How do you know that someone has not tampered with your code and pushed in a lot of commits claiming to be someone they're not? A verified commit is a signature on the changes you have made to your codebase. Commit signing provides a tamper seal that adds an extra level of assurance that the person who committed changes to a repository is the person they claim to be. This signature can be signed multiple different ways such as GPG, SSH, or S/MIME. If this signature is present, GitHub will mark this commit as verified.
Why would anyone need to sign a commit using a bot? Maybe your organization has a tightly controlled codebase that needs to be audited and commits need to be from verified sources. Maybe your CI/CD infrastructure has a lot of branch protection requirements and requires verified commits. Additionally, you might have a lot of contractors filter in and out of your organization. This functionality could also be a tool of last resort if your verified chain is broken or compromised in some way. This feature allows your development team to submit changes to your codebase and have a trusted third party integration verify authenticity of the origin of these commits.
Outlined in this article is a step by step process of uploading a file to a repository and having the commit signed by a GitHub App. In this example, we will be using app-evil-corp bot to sign commits on our test repository on behalf of Evil Corp our favorite fictional corporation from the show Mr. Robot.
In order to set up GitHub App commit signing. You first must create and install a GitHub App and obtain a GitHub App Installation Token. For more information on how to create a GitHub App, please check out Creating a GitHub App and Installing GitHub Apps for GitHub App installation instructions. To obtain a GitHub App Installation Token, please check out the community article GitHub App Installation Token and Authenticating as a GitHub App.
There are three steps to using GitHub App commit signing:
Creating a Tree
A tree is an object that allows you to create a hierarchy between files in a git repository. Without a tree, there is no way to associate all the tracked blob files and their contents. Blob is just a fancy way of saying its a whole bunch of compressed data (using zlib) and stored in an object database. A tree is really an index of all that information that explains which corresponding file belong to which directory.
To create a tree, curl the following endpoint Create a tree. For GitHub App commit signing, the following parameters are needed:
base_tree
- This is the SHA of the branch you have made your commit. In this example, this SHA is the last commit sha for the main branch of test repositoryrepo-test555
.tree
- build's a new tree object on this branch requires an array of objectspath
- file that you are referencing in this treemode
- permissions of the file referenced in your tree can be one of100644
for file (blob),100755
for executable (blob),040000
for subdirectory (tree),160000
for submodule (commit), or120000
for a blob that specifies the path of a symlink.type
-blob
,tree
, orcommit
content
- the content you want the file to have. GitHub will write this blob out and use that SHA for this entry. Use either this, or tree.sha.Note: To find the full SHA of your last commit, you can look at the commits history of your repository. To copy the SHA, click the square next to the commit that says: Copy the full SHA
In this example, the file
helloworld.py
was uploaded with the permissions644
to repository Repo-Test555. The file is a blob file and contains the messagehello world
.The following response was received after making this API call. A tree object was created containing the contents of
repo-test555
.Note: The SHA response
b12fd1716b81a52f233940c82ab67f6500238701
is critical for making a commit. Please retain this value in your response.Create a Commit
After a new tree is created, a new commit must also be made. This commit contains both the commit message as well as the SHA of the new tree and the SHA of the base branch. To create a Commit, curl the following endpoint Create a Commit. Using a GitHub App Installation Token will skip the need to specify a PGP Key, instead GitHub will sign the commit using their PGP Key through the GitHub App. To use GitHub App commit signing, you will need the following parameters:
message
- The commit message of verified commitparents
- The commit SHA of the branch you made your commitstree
- The SHA that was returned after you created your new treeOn the response, you can see the
verification
object. This object contains theverified
key which is a boolean value. If the value istrue
, the commit was verified. If the value isfalse
, the commit was not verified. Further, the PGP signature is included in thesignature
key. Because you have used the GitHub App Installation token, GitHub is able prove that you have access to this GitHub App and uses their (GitHub's) PGP key to sign the commit.Note A the time of making this commit, the commit is not referenced in the
main
branch. It exists as a commit on a fork outside of the repository until we update the reference. This is apparent when you view thehtml_url
of the commit.Update a Reference
Updating a reference is a final step in the process of using GitHub App Commit Signing. We take our newly created tree and our new commit and we associate the two together. Once we add the commit to our newly formed tree our bot is going to see the GitHub App Installation Token, it will say "looks good to me" and then give us the seal of authenticity. To create this reference we need the SHA value for our new commit. To update a reference, curl the following endpoint Update a Reference remember to use the SHA value response from making your commit.
SHA
- Response from theCreate a Commit
endpoint.Congratulations you have signed a commit using GitHub Commit Signing! You can check out more about GitHub Commit Signing here. To display verifcation statuses for all your commits, read About Vigilant Mode.
Beta Was this translation helpful? Give feedback.
All reactions