DEV Community

Cover image for Signed Git commits in VS Code

Signed Git commits in VS Code

Andreas on September 27, 2019

The time had come to fix something that had been bugging me for a long time: Still making unsigned Git commits from VS Code. TL;DR: Add "git.enabl...
Collapse
 
pavelloz profile image
Paweł Kowalski • Edited

Thank you so much for this post. Very good stuff

I didnt manage to do it myself, but thats probably just me and one day it will work ;)

Edit: Fixed.
I had to use GPG Keychain for mac os to make it work. ;)

Collapse
 
devmount profile image
Andreas

You're welcome, glad I could help! And thanks for the GPG keychain hint!

Collapse
 
sivaraam profile image
Kaartic Sivaraam

Nice post. It would be nice to have TL;DR at the top of the post that just covered the following content:

Finally you have to tell VS Code to append the -s flag to the git commit command, to use signed committing now. Open the settings, search for “gpg” and check the box “Enables commit signing with GPG”.

Alternatively you can add this line to your settings.json :

"git.enableCommitSigning": true

And that’s it! Now you can commit your changes in VS Codes Git integration and sign your work.

Collapse
 
devmount profile image
Andreas

Great suggestions - done. Many thanks (and sorry for the late reply - didn't see any notification about your comment).

Collapse
 
thebouv profile image
Anthony Bouvier

Make sure to look up the discussion around whether you should auto-sign or not.

Linus Torvalds for instance is against it.

I personally do auto-sign my own work.

Just suggesting that you look into the discussion and make your decision.

Collapse
 
devmount profile image
Andreas

Thank you Anthony for your suggestion!

I found this thread where Linus describes his opinion about auto-sign commits. But I'm not really sure I understood his point correctly... For me it sounds more that he argues for a different use case: the verification of the integrity of a release (git tags) or entire project. For me it's more about verifying the authorship of single commits.

Collapse
 
drazisil profile image
Molly Crendraven
Collapse
 
matiaslgonzalez profile image
Matías González

Good article! Though I don't know if I'm understanding the subject incorrectly but I think the git commit flag needed to sign (in the sense of using you gpg keys to sign the commit) is -S and not -s. I'm assuming that the "git.enableCommitSigning": true option is adding -S correctly. My git man pages reads:

-s, --signoff
           Add Signed-off-by line by the committer at the end of the commit log message. The meaning of a signoff
           depends on the project, but it typically certifies that committer has the rights to submit this work under
           the same license and agrees to a Developer Certificate of Origin (see http://developercertificate.org/ for
           more information).
Enter fullscreen mode Exit fullscreen mode
-S[<keyid>], --gpg-sign[=<keyid>]
           GPG-sign commits. The keyid argument is optional and defaults to the committer identity; if specified, it
           must be stuck to the option without a space.
Enter fullscreen mode Exit fullscreen mode
Collapse
 
nicolaerario profile image
Nicola Erario

Now I have my green badge on my commits, thank you! Good write( only the “import” section wasn’t clear to me ).

Collapse
 
devmount profile image
Andreas • Edited

Nice 👏🏻!
And thank you for your feedback! Any suggestions how to improve the "import" part? I'll try to update it soon!

Collapse
 
nicolaerario profile image
Nicola Erario

In reality, I haven’t to import nothing: after the key are created, go straight to “set up git” section; to setup GitHub, then, with the command gpg —armor —export you can copy/paste the public key to GitHub settings. Furthermore I discovered that git on windows came bundled with own gpg executable so, using your guide with git bash, the “Error: secret key not available” section is useless (git can commit without to declare the path because it uses its own). Last trick: you can leave the pass phrase blank so you don’t need to write it to commit. Ps: sorry for the formatting, I’m on mobile

Thread Thread
 
devmount profile image
Andreas • Edited

Thank you Nicola, I've updated the post accordingly! The "import" part now covers the key creation case and gpg --armor --export command.

Yes, if you don't have any issues with this error message, you don't have to specify the path. It was just meant for those, who are facing the same problem as I did.

I wouldn't recommend using a private key without a passphrase for security reasons. But yes, you're right: you don't have to use a passphrase.

Collapse
 
rugglcon profile image
Connor Ruggles • Edited

The one problem I've come upon is on Mac, if you haven't put your passphrase in for a while, VSCode doesn't prompt you for your password, you have to commit from the terminal. This is solved by using GPG Suite, as it permanently caches your credentials, but without using this you're unable to commit every ~2 hours from the interface and have to use the terminal.

Otherwise, great post.

Collapse
 
devmount profile image
Andreas

Thank you for this addition 👏🏻

Collapse
 
supermario_ai profile image
SuperMario

For me, I had to add a Carriage Return after -"----BEGIN PGP PUBLIC KEY BLOCK-----" and before "-----END PGP PUBLIC KEY BLOCK-----" to get it to work, but otherwise killer write up Fam! Thank you for this! ❤💯

Collapse
 
gizmecano profile image
P. Mergey • Edited

This kind of article is exactly what I expect to find on this platform: something which is supplementing documentation by adding some specific case studies (i.e. your last part about unavailability of secret key).

That being said, to come back to the subject, once the key has been created and the VSC editor settings have been properly configured, the recurring appearance of the Pinentry dialog window in order to type passphrase each time you are ready to commit something is particularly annoying (and it doesn't seem easy to define an convenient storage of this password currently).

Collapse
 
devmount profile image
Andreas

Thank you for your comment (I didn't get notified about it, seems like this is a general issue on dev.to for new comments on old articles)! I'm totally with you here - though you get used to it at some point, it's nevertheless additional effort.

I see if I can find a convenient way to save this password on a trusted device. I will update the article accordingly if I found something.

Collapse
 
thefern profile image
Fernando B 🚀

That's pretty cool, I need to get mine setup. Awesome read!

Collapse
 
devmount profile image
Andreas

Thank you 😊! I'm glad this post is useful for you!

Collapse
 
mitch1009 profile image
Mitch Chimwemwe Chanza • Edited

Thanks for this guide. i guess i don't have to make the same post i will share it. i have been using this feature on my account but a few week ago i came across a problem where every time i want to push changes to my repo it gives me this error:

  Git: fatal: the receiving end does not support --signed push
Enter fullscreen mode Exit fullscreen mode

i have to use the terminal and include

--signed=false
Enter fullscreen mode Exit fullscreen mode

for any push to work and it keeps my green badge status
any help on this guys.
Thanks for you help.

Collapse
 
imsergiobernal profile image
Sergio

Pretty cool thanks a lot

Collapse
 
devmount profile image
Andreas

You're welcome 😊! Happy to see that it's useful!

Collapse
 
sp0ker profile image
Rémi FLAMENT

You can define the key to use in your git config

git config --global user.signingkey AF5AD0.....
Enter fullscreen mode Exit fullscreen mode
Collapse
 
ryannorooz profile image
Ryan Norooz

just Created an account to come and thank you for the awesome article👍
keep up the good stuff❤

Collapse
 
devmount profile image
Andreas

You're very welcome 🤗 Will do!

Collapse
 
adarshmadrecha profile image
Adarsh Madrecha • Edited

Thanks for the guide. I have also written my 1st technical guide on the same topic with detailed screenshots for Windows and Gitlab - link.medium.com/LqSLButvuab

Collapse
 
shroomlife profile image
shroomlife 🍄

Thank you very much!

Collapse
 
adawolfs profile image
Alvin Estrada

nice to read and very useful!

Collapse
 
16sweetyjain profile image
Sweety Jain

This post really saved me . I was quite frustrated why commit signing is not working irrespective of all the efforts.Thanks:)

Collapse
 
devmount profile image
Andreas

I'm happy it's working for you now 👏🏻

Collapse
 
smyja profile image
Smyja

great article, i'm going to try it on a mac.

Collapse
 
pranav profile image
John Wick

"Note that the path may be a different one on your system."

I use Ubuntu 19.10. How can I set this path in mine?

Collapse
 
devmount profile image
Andreas

Sorry for the late reply. On Ubuntu you can just use:

git config --global gpg.program gpg
Enter fullscreen mode Exit fullscreen mode

or

git config --global gpg.program gpg2
Enter fullscreen mode Exit fullscreen mode

according to the GPG version you have installed.