How to sign your commits with GPG or SSH keys

Gers2017 — Sat, 03 Sep 2022 13:27:43 +0000

Sign your Commits!!!

If you happen to be a github user then you might have seen this Verified signature next to some commits.

What does it mean? Are they part of secret society of Verified users? should I be signing my commits too?

Let's be real here, we all like shiny green badges next to our commits, it give us a sense of power.
Good news! In this blog-post you're going to learn how to sign your commits using GPG or SSH keys.

Using GPG to sign commits
Add GPG key to Github
Configure Git to use GPG key
Using SSH keys to Sign Commits
Resources

Using GPG to sign commits

Before we get started, please check the version of gpg is up to date by running gpg --version
Mine is gpg (GnuPG) 2.2.37.

Generate the GPG key

gpg --full-generate-key

what kind of key you want: select RSA (sign only) by typing 4 and hit Enter
keysize: type 4096 and hit Enter
how long the key should be valid: recommended 2y or 3y

Answer the questions:

Real name: Your name or your Github username
Email address: The verified email address for your github account
- Github specific: You could also use the no-reply email of your Github account: At email settings bellow the Keep my email addresses private checkbox should be the no-reply email like @users.noreply.github.com
Assuming everything is fine, type O to confirm
Provide a passphrase: Choose a secure passphrase
- personal recommendation: create a passphrase made of 12 to 16 characters with at least one special character ($, #, @, ...)

Test the GPG key

echo 'hi!' | gpg --clear-sign > test.txt
gpg --verify test.txt

It should say something like: Good signature from "USERNAME (Test Key) <example@email.com>"

Get the GPG key ID

gpg --list-secret-keys --keyid-format=long
# or
gpg -K --keyid-format=short

# Output:

sec   rsa4096/A537823F 2022-09-02 [SC] [expires: 2023-09-02]
    E98E6B0663442DE0463E2A880FE0F073A537823F
uid         [ultimate] USERNAME (Test Key) <example@email.com>

In this case the key ID is A537823F (from rsa4096/A537823F)

Add GPG key to Github

Get the public key

gpg --armor --export A537823F

# generated key
# -----BEGIN PGP PUBLIC KEY BLOCK-----
# ....
# -----END PGP PUBLIC KEY BLOCK-----

Copy the generated key
Go to SSH and GPG keys on github or Add new GPG key on github
- More details here
Paste the generated key
Click Add GPG key

Configure Git to use GPG key

With the key ID A537823F

Add signingkey

git config --global user.signingkey A537823F

Enable sign for all commits and tags

git config --global commit.gpgSign true
git config --global tag.gpgSign true

Set your name and email

git config --global user.name USERNAME
git config --global user.email example@email.com

Gpg agent configuration

Export GPG_TTY
append the following to your .bashrc / .zshrc or your initialization file
```
export GPG_TTY=$(tty)

# For fish users:
set -x GPG_TTY $(tty)
```
- Configure gpg.conf
- create ~/.gnupg/gpg.conf
- append use-agent to ~/.gnupg/gpg.conf

Using SSH keys to Sign Commits

If you don't have a ssh key already, check:

Don't forget to set the Key type to Signing key

If you do have one, then:

Configure git to use ssh

git config --global gpg.format ssh

Copy your public ssh key

cat ~/.ssh/id_ed25519.pub

Set the signkey to your public ssh key (replace the text inside the quotes)

# Beware of the quotes
git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) example@email.com'

Add your public ssh key to `~/.config/git/allowed_signers`

example@email.com ssh-ed25519 ssh-ed25519 AAAAC3(...) example@email.com example@email.com

Let Git know about this file

git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers

Verify your signed commit

git commit -m "Some message"

# Verify the commit

git verify-commit 488a8d82 # get the hash with git log
# Or 
git log --show-signature

DEV Community: Gers2017

How to sign your commits with GPG or SSH keys

Sign your Commits!!!

Table of contents

Using GPG to sign commits

Generate the GPG key

Test the GPG key

Get the GPG key ID

Add GPG key to Github

Configure Git to use GPG key

Gpg agent configuration

Using SSH keys to Sign Commits

Configure git to use ssh

Copy your public ssh key

Set the signkey to your public ssh key (replace the text inside the quotes)

Add your public ssh key to `~/.config/git/allowed_signers`

Let Git know about this file

Verify your signed commit

Resources

DEV Community: Gers2017

How to sign your commits with GPG or SSH keys

Sign your Commits!!!

Table of contents

Using GPG to sign commits

Generate the GPG key

Test the GPG key

Get the GPG key ID

Add GPG key to Github

Configure Git to use GPG key

Gpg agent configuration

Using SSH keys to Sign Commits

Configure git to use ssh

Copy your public ssh key

Set the signkey to your public ssh key (replace the text inside the quotes)

Add your public ssh key to ~/.config/git/allowed_signers

Let Git know about this file

Verify your signed commit

Resources

Add your public ssh key to `~/.config/git/allowed_signers`