DEV Community

Cover image for Signing Git Commits with GPG Key
Aayush Gupta
Aayush Gupta

Posted on • Updated on

Signing Git Commits with GPG Key

Git is a really useful tool. It allows you to create patches that show that you are the author of it, write a great commit message which explains what your patch does, and provides a number of additional useful features as well.

However, the fact that anyone can amend a commit's author, its contents and the information makes it a bit difficult to trust. How can one verify that the patch which was submitted to be merge was actually committed by the person who is the author? The answer to this question is GPG.

GPG or better known as GnuPG stands for GNU Privacy Guard. It is completely free and allows you to encrypt and sign your data and communications.

Git supports signing commits using the GPG keys which are password protected. Using this key's fingerprint, one can verify that whether the commit is actually coming from the right person or not.

Generating GPG Keys

To use GPG to sign your commits, you need to generate a new key with your details.

$ gpg --gen-key
Enter fullscreen mode Exit fullscreen mode

Once it's done, GPG will show the details of the key generated. You can also use gpg --list-keys to show a list of all available keys in the system.

aayush@theimpulson:~/AndroidStudioProjects/WorkManagerExample$ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-02-18
pub   rsa3072 2021-02-18 [SC] [expires: 2023-02-18]
uid           [ultimate] John Doe <>
sub   rsa3072 2021-02-18 [E] [expires: 2023-02-18]

Enter fullscreen mode Exit fullscreen mode

In order to view the complete public key, use the gpg --armor --export command with your key fingerprint as an argument.

$ gpg --armor --export 3374G6B8F966A28CEE9793HF12F656DD4B5K8BB0
Enter fullscreen mode Exit fullscreen mode

This will show your complete public key under a block like this:

. YOUR KEY DETAILS..............
Enter fullscreen mode Exit fullscreen mode

This key has been revoked and deleted from the system after this article was finished.

Signing Commits Using GPG Keys

Now we need to enable signing our git commits using the key we just generated using the command above. To do this, we can change the current git configuration using the git config command.

$ git config --global commit.gpgsign true
$ git config --global user.signingkey 3374G6B8F966A28CEE9793HF12F656DD4B5K8BB0
Enter fullscreen mode Exit fullscreen mode

The first command globally enables signing commits using GPG keys and the second command provides the key to be used to actually sign the commit. You need to provide your GPG key fingerprint as I did with mine.

Once done, now after every commit, git will ask you to enter your gpg password key to commit changes.

Adding GPG Key to GitHub/GitLab Account

Adding your GPG keys to your GitHub/GitLab account will result in a small verified badge shown just beside your commit proving that the commit has actually signed and comes from you.

Verified Signature on GitHub

Here is how you can do that:

Saving Your GPG Key in a Password Manager

This section might be useful for the users who make a number of commits and want to automate the entry of the password on committing it. You can use a password manager to save and auto-enter the password every time a new commit is done.

A lot of Linux Distributions ships with their own password managers which might do this job. I use Linux Mint which ships with Seahorse also known as "Passwords and Keys" which does the job pretty well for me.

Not recommended unless you own the computer and the account on which you are saving the password.

and that's all. Now you can securely sign and share your commits which will help others to know that whether a commit actually comes from you or not.

Top comments (0)