How can I locally verify a git commit signature

Question

So as an exercise im trying to figure out how to locally verify a git commit signature.

As an example I am using https://github.com/ethereum/go-ethereum/commit/0a68558e7e025afebf67b81bf48ecb8b0fa7c06d.

The public key for this sig is https://github.com/web-flow.gpg.

When I run the following

git verify-commit 0a68558e7e025afebf67b81bf48ecb8b0fa7c06d 

The result I get is that it is valid commit.

However I want to figure out a way to write a script to do this.

I have defined two files

commit.txt

commit 0a68558e7e025afebf67b81bf48ecb8b0fa7c06d
Author: Péter Szilágyi <peterke@gmail.com>
Date:   Fri Aug 13 15:39:51 2021 +0300

accounts/external: handle 0 chainid as not-set for the Clef API (#23394)

* accounts/external: handle 0 chainid as not-set for the Clef API

* accounts/external: document SignTx

Co-authored-by: Felix Lange <fjl@twurst.com>

And using git cat-file -p <commit-hash> I get the signature and store it in a file doc.sig

-----BEGIN PGP SIGNATURE-----

wsBcBAABCAAQBQJhFmgXCRBK7hj4Ov3rIwAAkpoIACFP0wLY/5WA3rHgrU2s/6lT
DdTOK7HNnh00bJIEplGoVvMWku0mAHAgp8t+oerhQlwHC8quBIxo9ozzz7UBj0Aa
3VjFSBXnX5KCkW8kY8ZxT4xnuXgFJ/O5z59qSh+3S1Lt/B6c2ERP+3T6oylR+LMt
/Icr901l24kRKNOkjM6cM5jDGVpD+7CLQQKmwcq8A5Ee14EF+H2+/XaFJmilYhfL
r/BY4aPvQDP18vhwTKOVTpVzGmjLn/i0OU6kAfcY2LSzhfSJ0rlenQ0JQE4kK9KM
dh1E8WvySYOh7WD9iKkNPP2VbXuPoNaVQIwkJ06kab8edvKw1qQsWpogMtKlQAI=
=qe4m
-----END PGP SIGNATURE-----

However when I run

gpg verify doc.sig commit.txt

I get the following

gpg: Signature made Fri Aug 13 05:39:51 2021 PDT
gpg:                using RSA key 4AEE18F83AFDEB23
gpg: BAD signature from "GitHub (web-flow commit signing) <noreply@github.com>" [unknown]

I get a similar result when trying to run verify the signature via openpgpjs script https://github.com/openpgpjs/openpgpjs

Anyone have an idea as to what i might be doing wrong.

Answer 1

The output you're seeing from git log is not the actual commit data. To see the actual commit data, run git cat-file commit OID:

tree d51ae01e7bd033c28b98e2e70fb5920cd5fe269f
parent fd604becbb952cc46111a77ea4e5b76b4617fa49
author Péter Szilágyi <peterke@gmail.com> 1628858391 +0300
committer GitHub <noreply@github.com> 1628858391 +0300
gpgsig -----BEGIN PGP SIGNATURE-----

 wsBcBAABCAAQBQJhFmgXCRBK7hj4Ov3rIwAAkpoIACFP0wLY/5WA3rHgrU2s/6lT
 DdTOK7HNnh00bJIEplGoVvMWku0mAHAgp8t+oerhQlwHC8quBIxo9ozzz7UBj0Aa
 3VjFSBXnX5KCkW8kY8ZxT4xnuXgFJ/O5z59qSh+3S1Lt/B6c2ERP+3T6oylR+LMt
 /Icr901l24kRKNOkjM6cM5jDGVpD+7CLQQKmwcq8A5Ee14EF+H2+/XaFJmilYhfL
 r/BY4aPvQDP18vhwTKOVTpVzGmjLn/i0OU6kAfcY2LSzhfSJ0rlenQ0JQE4kK9KM
 dh1E8WvySYOh7WD9iKkNPP2VbXuPoNaVQIwkJ06kab8edvKw1qQsWpogMtKlQAI=
 =qe4m
 -----END PGP SIGNATURE-----


accounts/external: handle 0 chainid as not-set for the Clef API (#23394)

* accounts/external: handle 0 chainid as not-set for the Clef API

* accounts/external: document SignTx

Co-authored-by: Felix Lange <fjl@twurst.com>

Note that the commit does not end with a newline here.

You remove the gpgsig header (or gpgsig-sha256 header) and its trailing lines altogether, and that is the data over which the signature is made:

tree d51ae01e7bd033c28b98e2e70fb5920cd5fe269f
parent fd604becbb952cc46111a77ea4e5b76b4617fa49
author Péter Szilágyi <peterke@gmail.com> 1628858391 +0300
committer GitHub <noreply@github.com> 1628858391 +0300


accounts/external: handle 0 chainid as not-set for the Clef API (#23394)

* accounts/external: handle 0 chainid as not-set for the Clef API

* accounts/external: document SignTx

Co-authored-by: Felix Lange <fjl@twurst.com>

The signature is the data in the gpgsig header, or, for SHA-256 repositories, the gpgsig-sha256 header.

You shouldn't copy and paste this data, since the exact data is required for the signature to match. Instead, you can do this:

$ git cat-file commit HEAD | sed -e'/^gpgsig/d; /^ /d' >commit
$ git cat-file commit HEAD | sed -ne'/^gpgsig/,/---END/s/^[a-z]* //p' >sig
$ gpg --verify sig commit