How do you sign commits, and why might that be required?
CI/CD & GitOps · Intermediate level
Answer
Commit signing cryptographically proves that a commit or tag was created by a trusted identity. It can be done with GPG, SSH signing, or S/MIME. Teams require it to improve provenance, reduce impersonation risk, and strengthen audit trails.
Technical explanation
Security gates should be policy-driven with documented exception handling; otherwise teams will bypass noisy checks.
Provenance should connect repository, commit, workflow identity, artifact digest, signer identity, and deployment environment.
Git history is both collaboration state and audit evidence, so choose merge, rebase, revert, and reset based on whether history is shared.
Short-lived branches reduce merge conflicts and make CI feedback meaningful; long-lived branches increase drift and integration risk.
Tags, release branches, signed commits, and changelogs connect source history to released artifacts and operational traceability.
Prefer safe, reviewable operations on shared branches: revert bad changes, open PRs for backports, and avoid force-pushes unless the team explicitly coordinates them.
Hands-on example
1. Practice the Git operation for: How do you sign commits, and why might that be required in a throwaway repository with main, feature, release, and hotfix branches.
2. Create commits on multiple branches, then run the relevant commands: git merge, git rebase main, git cherry-pick <sha>, git revert <sha>, git tag -a v1.2.3, or git reset --hard only on a private branch.
3. Inspect the result with git log --oneline --graph --decorate --all and verify whether history was preserved, replayed, tagged, or safely undone.
4. Push through a pull request with required CI checks, run tests after conflict resolution or cherry-pick, and document why that operation was chosen.
5. For release scenarios, build from a signed tag, publish the artifact with the commit SHA and version, and confirm the release notes match the merged changes.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More CI/CD & GitOps interview questions
- What is CI/CD, and what is the difference between continuous delivery and continuous deployment?
- What are the goals of a CI pipeline beyond just running tests?
- What is Jenkins, and what is the difference between a controller and an agent?
- What is the difference between a freestyle job and a pipeline job in Jenkins?
- What is the difference between a declarative and a scripted Jenkins pipeline?
- What is a Jenkinsfile, and why keep your pipeline as code in the repo?
- Explain the structure of a declarative pipeline (agent, stages, steps, post).
- What is the post section used for, and what are its conditions (success, failure, always)?