Step 4 - Verify Git Commit

- Thomas Jungbauer Thomas Jungbauer ( Lastmod: 2024-05-08 ) - 3 min read

Besides checking the source code quality, we should also verify if the commit into Git was done by someone/something we trust. It is a good practice to sign all commits to Git. You need to prepare your Git account and create trusted certificates.

I will not describe how exactly you need to configure Git to sign your commit. Verify the following link to learn more about Signing Commits


The goals of this step are:

  • Verify if the last commit has been signed


  • Signing public key

  • Configured Git to verify your gpg signature

When your commit is signed, Git will show that:

Figure 1. Pipeline


  1. Create the following Secret that contains your PUBLIC key.

    kind: Secret
    apiVersion: v1
      name: gpg-public-key
      namespace: ci
      public.key: >-
        <Base64 PUBLIC GPG KEY> (1)
    type: Opaque
    1Public key, containing BEGIN/END lines base64 encoded.
  2. Create the following Task:

    kind: Task
      name: verify-source-code-commit-signature
      namespace: ci
      description: This task verifies the latest commit and signature against the gpg
        public key
        - default: ''
          name: gitInit
          type: string
      - computeResources: {}
        image: $(params.gitInit)
        name: git-verify
        script: |
          set -x (1)
          gpg --import /workspace/secrets/public.key
          git config --global --add /workspace/repository
          git verify-commit HEAD || (echo "Unable to verify commit at HEAD!" && exit 1)
        workingDir: /workspace/repository
      - name: repository
      - name: secrets (2)
    1The script to verify the signature of the commit,
    2The workspace that mounts the Secret containing the gpg key,
  3. Modify the TriggerTemplate and add the following 3 lines

              - name: secrets
                  secretName: gpg-public-key (1)
    1The name of the Secret where the public key can be found.
  4. Update the pipeline to execute the task verify-commit-signature, which is running in parallel to the SonarQube scan.

        - name: verify-commit-signature
            - pull-source-code (1)
            kind: Task
            name: verify-source-code-commit-signature (2)
          workspaces: (3)
            - name: repository
              workspace: shared-data
            - name: secrets
              workspace: secrets
        - name: secrets (4)
    1This task runs after pull-source-code but in parallels with the SonarQube task.
    2Task reference
    3Workspaces that are used in this Task
    4Additional workspace for the Pipeline

The full pipeline objects now look like the following:

The status of the Pipeline now is:

Figure 2. Pipeline

Execute the Pipeline

Let’s update the of our source code again to trigger another PipelineRun.

Now the 3rd task will verify if the commit was signed.

PipelineRun Details
Figure 3. PipelineRun Details

In the logs of the Task, we can see that the commit was signed and could be verified. See:

gpg: Good signature from "Thomas Jungbauer <>"
Signature Verification
Figure 4. Signature Verification


At this stage we have a Pipeline, that pulls our code, does a code analysis, and verifies if the commit has been signed. The very next step is to build the image and push it into an Image Registry.