Insights · Article · Security · May 8, 2026
GPG versus SSH signing, protected branches, merge queue attestations, and verifying identity when every pull request touches production config.
Unsigned commits trust host identity and stolen session tokens more than cryptographic proof of authorship. When build pipelines read from main, you want tamper evidence and policy that rejects anonymous force pushes.
SSH-backed signing integrates cleanly with many developers existing key practices. GPG remains common in regulated environments that already operate key ceremonies. Pick one org standard and document onboarding.
Branch protection should require signed commits, status checks, and reviewed merges. Bypass lists rot quickly; audit them quarterly.
Merge queues and bots need signing identities that are clearly labeled automation, not personal accounts that imply human review where none occurred.
Key rotation requires overlapping trust periods and developer communication. Yanking a root key on Friday evening is a morale event.
Tie signatures to hardware security keys where feasible. Phishing resistant MFA for code hosting complements signing but does not replace it.
Include verification in CI for tagged releases and configuration repos. Silent unsigned hotfixes become precedent.
Finally, train incident responders to preserve commit metadata during forensics. Rebasing for cleanliness destroys audit trails you may later need.
We facilitate small-group sessions for customers and prospects without requiring a slide deck, focused on your stack, constraints, and the decisions you need to make next.
