Git is a really useful tool. It allows you to create patches that show that you are the author of it, write a great commit message which explains what your patch does, and provides a number of additional useful features as well.
However, the fact that anyone can amend a commit's author, its contents and the information makes it a bit difficult to trust. How can one verify that the patch which was submitted to be merge was actually committed by the person who is the author? The answer to this question is GPG.
GPG or better known as GnuPG stands for GNU Privacy Guard. It is completely free and allows you to encrypt and sign your data and communications.
Git supports signing commits using the GPG keys which are password protected. Using this key's fingerprint, one can verify that whether the commit is actually coming from the right person or not.
Generating GPG Keys
To use GPG to sign your commits, you need to generate a new key with your details.
$ gpg --gen-key
Once it's done, GPG will show the details of the key generated. You can also use gpg --list-keys to show a list of all available keys in the system.
aayush@theimpulson:~/AndroidStudioProjects/WorkManagerExample$ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-02-18
/home/aayush/.gnupg/pubring.kbx
-------------------------------
pub rsa3072 2021-02-18 [SC] [expires: 2023-02-18]
3374G6B8F966A28CEE9793HF12F656DD4B5K8BB0
uid [ultimate] John Doe <JohnDoe@gmail.com>
sub rsa3072 2021-02-18 [E] [expires: 2023-02-18]
In order to view the complete public key, use the gpg --armor --export command with your key fingerprint as an argument.
$ gpg --armor --export 3374G6B8F966A28CEE9793HF12F656DD4B5K8BB0
This will show your complete public key under a block like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
.
.
. YOUR KEY DETAILS..............
.
.
-----END PGP PUBLIC KEY BLOCK-----
This key has been revoked and deleted from the system after this article was finished.
Signing Commits Using GPG Keys
Now we need to enable signing our git commits using the key we just generated using the command above. To do this, we can change the current git configuration using the git config command.
$ git config --global commit.gpgsign true
$ git config --global user.signingkey 3374G6B8F966A28CEE9793HF12F656DD4B5K8BB0
The first command globally enables signing commits using GPG keys and the second command provides the key to be used to actually sign the commit. You need to provide your GPG key fingerprint as I did with mine.
Once done, now after every commit, git will ask you to enter your gpg password key to commit changes.
Adding GPG Key to GitHub/GitLab Account
Adding your GPG keys to your GitHub/GitLab account will result in a small verified badge shown just beside your commit proving that the commit has actually signed and comes from you.
Here is how you can do that:
Saving Your GPG Key in a Password Manager
This section might be useful for the users who make a number of commits and want to automate the entry of the password on committing it. You can use a password manager to save and auto-enter the password every time a new commit is done.
A lot of Linux Distributions ships with their own password managers which might do this job. I use Linux Mint which ships with Seahorse also known as "Passwords and Keys" which does the job pretty well for me.
Not recommended unless you own the computer and the account on which you are saving the password.
and that's all. Now you can securely sign and share your commits which will help others to know that whether a commit actually comes from you or not.
Top comments (0)