Skip to content

Instantly share code, notes, and snippets.

@arya2004

arya2004/README.md

Last active July 26, 2024 15:11
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save arya2004/63238235120d31baf8799fa97bd57001 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save arya2004/63238235120d31baf8799fa97bd57001 to your computer and use it in GitHub Desktop.
Download ZIP
Guide to Configuring Signed Git Commits with GPG
Raw
README.md

Guide to Configuring Signed Git Commits with GPG

You only need to follow these steps if you want to use GPG keys for signing.

Setup (for GPG)

First, you need to get GPG. This tutorial uses GnuPG, but there may be other implementations.

  1. Generate a GPG key 
    gpg --full-generate-key
    Answer the questions as you wish, but in general:
    • Choose RSA and RSA
    • 3072 is fine for the key size (refer to GnuPG Frequently Asked Questions)
    • 0 for expiration is fine
    • Match the E-Mail address to your Git and GitHub config

Screenshot from 2024-07-26 20-35-50

Git Configuration (for GPG)

You will need your key ID, which you can find using:

gpg --list-secret-keys --keyid-format=long

Screenshot from 2024-07-26 20-36-03

In this example, the string C0CD5554B128E244 is the key ID we’re looking for (these are the last 16 characters of the full fingerprint in the line below).

Now tell Git to always use this key to sign commits:

git config --global user.signingkey <your key id>
# Example
git config --global user.signingkey C0CD5554B128E244

If you want Git to sign all commits and tags from now on, you can enable this:

git config --global commit.gpgsign true
git config --global tag.gpgsign true

Git also supports signing pushes as a form of attestation. Unfortunately, GitHub does not support this at the moment. You can still enable this feature so that it’ll sign a push if the server supports it. This will result in a warning message every time it cannot sign a push:

git config --global push.gpgSign if-asked

The warning is: warning: not sending a push certificate since the receiving end does not support --signed push

GitHub Configuration (for GPG)

  1. Go to GitHub: SSH and GPG keys

  2. To add your key, you need to get a text version of your public key:

    gpg --armor --export <key id>

    Example:

    gpg --armor --export C0CD5554B128E244

  3. Copy the output and add your key on GitHub.

Add your key:

signed_ssh_d764e74e-6c0a-4ff2-b412-f924b835ceff

Now your key should appear here:

Screenshot from 2024-07-26 20-32-48

Optional: Vigilant Mode (for GPG)

For extra security, you can enable vigilant mode on GitHub. This can be enabled at the bottom of this page.

Usage (for GPG)

If you set the global options commit.gpgsign and tag.gpgsign, you don’t need to do anything special, and Git will automatically try to sign all commits and tags from now on.

The method by which git tries to sign can be configured using the gpg.format option which defaults to openpgp but can be set to ssh or x509 (not used at Stackable).

At least IntelliJ picks up the setting automatically as well.

If you don’t set the option, you can pass the -S option to git commit:

git commit -S -m "YOUR_COMMIT_MESSAGE"

GitHub will (should) now show your commits as “Verified”:

Screenshot from 2024-07-26 20-27-09

You can also check locally:

git log --show-signature
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment