The history of the commit should show whether the commit is signed, unsigned, or has a non-matching signature.

![Git commit signature verification](resources/images/05.png)

The administrator, depending on the Git platform, can configure Git to only accept signed commits. A pre-commit hook can be used to enforce this policy. When a GPG key becomes compromised, you should take immediate action to revoke the key from the same interface where you created it.

### Passwordless Authentication

When using Git, you may need to authenticate with your Git hosting service. This is usually done using a username and password. However, this method is not secure and can lead to unauthorized access to your repositories.

Take this scenario: you are using password-based authentication for your team. Here are the consequences:

- Passwords are often chosen by users; this is what makes them susceptible to brute-force attacks, guessing if not complex enough, and social engineering. Never trust users to choose strong passwords.
- Every time you authenticate, the password must be sent over the network, creating multiple opportunities for interception or leakage.
- Passwords are vulnerable to phishing attacks, keyloggers, and credential theft.
- Passwords require manual entry or storage in scripts/configuration files (which significantly raises the risk of credential exposure).
- Passwords are harder to manage; password reuse across services increases the risk of a large-scale compromise.
- Passwords are difficult to trace precisely if shared or reused passwords are employed.

On the other hand, SSH keys