Securing git commits from tricking you on Windows

Did you know that by default you can check in code as anyone in your git repository? All you need to do is run git config.username = {username} and git config.email={email}and you can trick git into thinking you are someone else. For a better understanding of what kinds of problems this can create, go and read Mike Gerwitz’s article, A Git Horror Story. Luckily, Git allows you to resolve this issue pretty easily - by letting you sign commits using GPG(GNU Privacy Guard).

The GitHub help article Signing commits using GPG is a pretty good guide on how to set it up. But, it requires you to use the git bash console. So, what do you do if like me you are on a Windows machine and would prefer to use a GUI? Don't fear this guide will tell you what you need to know.

Using Gpg4win with Git needs a little bit of configuration so let's start configuring it.

Setup Kleopatra

1. Download Gpg4win and install it using the installer.

2. Go to the Start menu and start Kleopatra

3. Click on File -> New Key Pair

1. Click on Create a Personal OpenPGP key pair

1. Enter details and click next.

1. Review and Create the key. This will show a popup asking you to enter a passphrase to protect the key.

2. Enter a passphrase and click Ok

1. At this point, the key pair should be created. Click on Finish.

You can create a backup of the key and save it somewhere safe.

1. You should now see the key in Kleopatra

1. Keep a note of the Key-ID. We will need it in a minute.

This is D1E4471 in the screenshot above

1. Double click the key to see the certificate details

1. Click on export and copy the public gpg key.

Make sure you copy everything including -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK-----

Configure Git to Sign Commits

1. Update the global git config to use the signing key.
   Remember the Key-ID from above - You will need it here.

2. Enter git config user.signingkey D1E4471 in your git console

If you want to set it on a global level, use git config --global user.signingkey D1E4471instead

1. Instruct git to sign every commit automatically.

2. Enter git config commit.gpgsign true in your git console. If you want to set it on a global level, use git config --global commit.gpgsign trueinstead.

3. Instruct git to sign every tag automatically.

4. Enter git config tag.gpgsign true in your git console. If you want to set it on a global level, use git config --global tag.gpgsign true instead

5. Tell git use the gpg4win version of gpg.exe

6. Enter git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe" in your git console.

You might need to tweak the location of the program if you installed it in a custom location

To check that it works, commit some code to a repository which has been set up to use signing. You should be prompted for the passphrase you entered earlier.

Configure Kleopatra to cache the passphrase for a longer time

1. Run Kleopatra. Click on Settings -> Configure Kleopatra

2. On the configure page click on GnuPG System -> Private Keys and scroll down to the Options controlling the security section.

3. Set the cache time. 86400 seconds is equal to 1 day.

Configure Github to show verified commits

1. Follow the steps at Adding a new GPG key to your GitHub account so that Github can show the verified commits. Use the public gpg key that you had copied earlier.

To check if it works, push the signed commit. You should see the Verified tag in the commit history on Github.

The commit should have a verified tag which you can click to see additional details

Conclusion

Now all the commits will have a verified tag. Do you sign your commits? Let me know in the comments