Search code, repositories, users, issues, pull requests...
This is heavily inspired by https://github.com/github/smimesign, but uses keyless Sigstore to sign Git commits with your own GitHub / OIDC identity.
For environment variables that support Sigstore Prefix, the values may be provided with either a GITSIGN_ or SIGSTORE_ prefix - e.g. GITSIGN_CONNECTOR_ID or SIGSTORE_CONNECTOR_ID. If both environment variables are set, GITSIGN_ prefix takes priority.
Once configured, you can sign commits as usual with git commit -S (or git config --global commit.gpgsign true to enable signing for all commits).
Once configured, you can sign commits as usual with git tag -s (or git config --global tag.gpgsign true to enable signing for all tags).
NOTE: gitsign verify is preferred over git verify-commit and git verify-tag. The git commands do not pass through any expected identity information to the signing tools, so they only verify cryptographic integrity and that the data exists on Rekor, but not who put the data there.
Gitsign is compatible with other Sigstore tools cosign for running against other Sigstore instances besides the default public instance. See cosign documentation for how to configure and use another instance.
