DEV Community

Cover image for How to sign your commits with GPG or SSH keys
Gers2017
Gers2017

Posted on

How to sign your commits with GPG or SSH keys

Sign your Commits!!!

RUN
Keep calm

If you happen to be a github user then you might have seen this Verified signature next to some commits.

What does it mean? Are they part of secret society of Verified users? should I be signing my commits too?

Github Signed Commit

Let's be real here, we all like shiny green badges next to our commits, it give us a sense of power.
Good news! In this blog-post you're going to learn how to sign your commits using GPG or SSH keys.

Table of contents

Using GPG to sign commits

Before we get started, please check the version of gpg is up to date by running gpg --version
Mine is gpg (GnuPG) 2.2.37.

Generate the GPG key

gpg --full-generate-key
Enter fullscreen mode Exit fullscreen mode
  1. what kind of key you want: select RSA (sign only) by typing 4 and hit Enter
  2. keysize: type 4096 and hit Enter
  3. how long the key should be valid: recommended 2y or 3y

Answer the questions:

  1. Real name: Your name or your Github username
  2. Email address: The verified email address for your github account
    • Github specific: You could also use the no-reply email of your Github account: At email settings bellow the Keep my email addresses private checkbox should be the no-reply email like @users.noreply.github.com
  3. Assuming everything is fine, type O to confirm
  4. Provide a passphrase: Choose a secure passphrase
    • personal recommendation: create a passphrase made of 12 to 16 characters with at least one special character ($, #, @, ...)

Test the GPG key

echo 'hi!' | gpg --clear-sign > test.txt
gpg --verify test.txt
Enter fullscreen mode Exit fullscreen mode

It should say something like: Good signature from "USERNAME (Test Key) <example@email.com>"

Get the GPG key ID

gpg --list-secret-keys --keyid-format=long
# or
gpg -K --keyid-format=short

# Output:

sec   rsa4096/A537823F 2022-09-02 [SC] [expires: 2023-09-02]
    E98E6B0663442DE0463E2A880FE0F073A537823F
uid         [ultimate] USERNAME (Test Key) <example@email.com>
Enter fullscreen mode Exit fullscreen mode

In this case the key ID is A537823F (from rsa4096/A537823F)

Add GPG key to Github

Configure Git to use GPG key

With the key ID A537823F

  • Add signingkey

    git config --global user.signingkey A537823F
    
  • Enable sign for all commits and tags

    git config --global commit.gpgSign true
    git config --global tag.gpgSign true
    
  • Set your name and email

    git config --global user.name USERNAME
    git config --global user.email example@email.com
    

Gpg agent configuration

  • Export GPG_TTY
    append the following to your .bashrc / .zshrc or your initialization file

    export GPG_TTY=$(tty)
    
    # For fish users:
    set -x GPG_TTY $(tty)
    
    • Configure gpg.conf
    • create ~/.gnupg/gpg.conf
    • append use-agent to ~/.gnupg/gpg.conf

Using SSH keys to Sign Commits

If you don't have a ssh key already, check:

Don't forget to set the Key type to Signing key

If you do have one, then:

Configure git to use ssh

git config --global gpg.format ssh
Enter fullscreen mode Exit fullscreen mode

Copy your public ssh key

cat ~/.ssh/id_ed25519.pub
Enter fullscreen mode Exit fullscreen mode

Set the signkey to your public ssh key (replace the text inside the quotes)

# Beware of the quotes
git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) example@email.com'
Enter fullscreen mode Exit fullscreen mode

Add your public ssh key to ~/.config/git/allowed_signers

example@email.com ssh-ed25519 ssh-ed25519 AAAAC3(...) example@email.com example@email.com
Enter fullscreen mode Exit fullscreen mode

Let Git know about this file

git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
Enter fullscreen mode Exit fullscreen mode

Verify your signed commit

git commit -m "Some message"

# Verify the commit

git verify-commit 488a8d82 # get the hash with git log
# Or 
git log --show-signature
Enter fullscreen mode Exit fullscreen mode

Resources

Top comments (0)