Git supports signing commits with a GPG key, and more recently (since Git 2.34) also started supporting signing with an SSH key. The latter is IMHO much easier to set up, because anybody who can push to the GCC repo already has an SSH key configured.
To start signing your git commits, just enable commit.gpgsign (which also enables signing with SSH, despite the name) and tell Git where to find your public key. To use SSH keys instead of GPG, set gpg.format=ssh. I suggest the ssh key you sign with should be the same key that you use to push to gcc.gnu.org / sourceware.org i.e. git config --global gpg.format ssh git config user.signingKey ~/.ssh/id_your_gcc_key.pub git config commit.gpgsign true More info online e.g. https://docs.gitlab.com/ee/user/project/repository/signed_commits/ssh.html You can see the signature on a signed commit using git log --show-signature e.g. $ git log --show-signature origin/master | head -6 commit eb67e2396f3ee834bf3a8299f5b6d93ba82d3950 Good "git" signature for jwak...@redhat.com with RSA key SHA256:8rFaYhDWn09c3vjsYIg2JE9aSpcxzTnCqajoKevrUUo Author: Jonathan Wakely <jwak...@redhat.com> Date: Mon Sep 16 10:04:40 2024 If a signature is not recognised you'll see something like this: commit 323291c29c77e3214f4850129bb8a3d0d8da6a45 gpg: Signature made Wed 11 Sep 2024 22:53:40 BST gpg: using RSA key E5E9554C5B7F774F55B28733BF63C1BC3FA43540 gpg: Can't check signature: No public key Author: Martin Jambor <mjambor@...> Date: Wed Sep 11 22:53:21 2024 This says it's signed, but by a key my machine doesn't know, maybe because it's a GPG key and I have no GPG keychain? But somebody who does know Martin's key would probably see this as a good signature. For SSH keys, you can configure git to use a file of known keys, e.g. git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers I have my own SSH public key in that file (see 'man ssh-keygen' or the gitlab URL above for the format of that file) so git log shows my signed commits in happy colours without a warning. Because I've also uploaded my public key to github, when you view the commit there (in any fork of the GCC repo) it shows as "verified" e.g. in the unofficial mirror: https://github.com/gcc-mirror/gcc/commit/eb67e2396f3ee834bf3a8299f5b6d93ba82d3950
