Sign your Commits!!!
If you happen to be a github user then you might have seen this Verified signature next to some commits.
What does it mean? Are they part of secret society of Verified users? should I be signing my commits too?
Let's be real here, we all like shiny green badges next to our commits, it give us a sense of power.
Good news! In this blog-post you're going to learn how to sign your commits using GPG or SSH keys.
Table of contents
- Using GPG to sign commits
- Add GPG key to Github
- Configure Git to use GPG key
- Using SSH keys to Sign Commits
- Resources
Using GPG to sign commits
Before we get started, please check the version of gpg
is up to date by running gpg --version
Mine is gpg (GnuPG) 2.2.37
.
Generate the GPG key
gpg --full-generate-key
- what kind of key you want: select RSA (sign only) by typing
4
and hitEnter
- keysize: type
4096
and hitEnter
- how long the key should be valid: recommended
2y
or3y
Answer the questions:
- Real name: Your name or your Github username
- Email address: The verified email address for your github account
- Github specific: You could also use the no-reply email of your Github account: At email settings bellow the
Keep my email addresses private
checkbox should be the no-reply email like@users.noreply.github.com
- Github specific: You could also use the no-reply email of your Github account: At email settings bellow the
- Assuming everything is fine, type
O
to confirm - Provide a passphrase: Choose a secure passphrase
- personal recommendation: create a passphrase made of
12
to16
characters with at least one special character ($, #, @, ...
)
- personal recommendation: create a passphrase made of
Test the GPG key
echo 'hi!' | gpg --clear-sign > test.txt
gpg --verify test.txt
It should say something like: Good signature from "USERNAME (Test Key) <example@email.com>"
Get the GPG key ID
gpg --list-secret-keys --keyid-format=long
# or
gpg -K --keyid-format=short
# Output:
sec rsa4096/A537823F 2022-09-02 [SC] [expires: 2023-09-02]
E98E6B0663442DE0463E2A880FE0F073A537823F
uid [ultimate] USERNAME (Test Key) <example@email.com>
In this case the key ID is A537823F
(from rsa4096/A537823F
)
Add GPG key to Github
-
Get the public key
gpg --armor --export A537823F # generated key # -----BEGIN PGP PUBLIC KEY BLOCK----- # .... # -----END PGP PUBLIC KEY BLOCK-----
Copy the generated key
-
Go to SSH and GPG keys on github or Add new GPG key on github
Paste the generated key
Click
Add GPG key
Configure Git to use GPG key
With the key ID A537823F
-
Add signingkey
git config --global user.signingkey A537823F
-
Enable sign for all commits and tags
git config --global commit.gpgSign true git config --global tag.gpgSign true
-
Set your name and email
git config --global user.name USERNAME git config --global user.email example@email.com
Gpg agent configuration
-
Export GPG_TTY
append the following to your.bashrc
/.zshrc
or your initialization file
export GPG_TTY=$(tty) # For fish users: set -x GPG_TTY $(tty)
- Configure gpg.conf
- create
~/.gnupg/gpg.conf
- append
use-agent
to~/.gnupg/gpg.conf
Using SSH keys to Sign Commits
If you don't have a ssh key already, check:
Don't forget to set the Key type to Signing key
If you do have one, then:
Configure git to use ssh
git config --global gpg.format ssh
Copy your public ssh key
cat ~/.ssh/id_ed25519.pub
Set the signkey to your public ssh key (replace the text inside the quotes)
# Beware of the quotes
git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) example@email.com'
Add your public ssh key to ~/.config/git/allowed_signers
example@email.com ssh-ed25519 ssh-ed25519 AAAAC3(...) example@email.com example@email.com
Let Git know about this file
git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
Verify your signed commit
git commit -m "Some message"
# Verify the commit
git verify-commit 488a8d82 # get the hash with git log
# Or
git log --show-signature
Top comments (0)