captainepoch's log

GPG and GitHub

As you may know, GitHub published an article at its blog called “GPG signature verification”. What that means is that you can sign your commits with a GPG key. And that’s cool, because It verifies you as the real commiter.

So, let’s get started!

What do you need?

I use ArchLinux or Mac OS X when I do programming, so Windows users, I’m sorry :(, I’ll add Windows’ settings as soon as I need Windows for programming :). You should install everything as you want (package manager or manually, that’s your business)

Let’s get the party on!

Before you go on the article, you see GitHub’s commits like this:

To start with this you need to have a GPG key generated (I guess you can’t use a revoked key). If you don’t have one, stop here, install GPG Tools and generate one. You have a great tutorial at GitHub’s Help (please don’t use 4096 as the size, you don’t need it. Instead use 2048!).

After generating your public-private key pair you need to add your public key to GitHub’s settings. To see your public key, execute this command first:

$ gpg --list-keys

This command will list your keys in the GPG’s keyring. You then look for the ID of the key in something like that:

pub   2048R/**AB12CD34** 2016-03-17
uid       NAME AND EMAIL
sub   2048R/EF9AC987 2016-03-17

In this example the ID will be AB12CD34.

Then you export the publick key with this command. Note that it will print the public key at the terminal, so you might want to use a redirection:

$ gpg --armor --export AB12CD34

Where AB12CD34 should be your GPG key ID. Copy your public key and go to GitHub.com > Settings > SSH and GPG keys.

You will see this:

Press the “New GPG key” button and paste your public key:

And press on “Add GPG key”. You will now have your GPG key ready to sign your commits!

When you’re ready to commit, you must use this command:

$ git commit -S -m "MSG"

Where -S means “Sign”.

Yay! Wait a second… Do you remember the first image? Now your commits will look like this:

With the Verified tag. Also you may notice this when you’re reading a commit and click on the Verified tag:

Enjoy the sign!

Improvements

Once you have done everything I put up there, let’s improve the set up.

Automatically sign every commit

Using the last command is a bit odd. Personally I forget to put the -S in the last commits I did. So I found a way to automatically sign every commit I do (and you too).

First of you’ll put the GPG key ID at the .gitconfig file with this (remember that AB12CD34 is your GPG key ID!). This will identify your key automatically and you have to do nothing:

$ git config --global user.signingkey AB12CD34

Then you have to tell to git “hey, autosign this!” with this command:

$ git config --global commit.gpgsign true

And you’re ready to go!

Mac OS X workaround

When I set up GPG Tools on Mac, I did through brew. I just installed 2 or 3 from the GPG Tools pack, so gpg was not one of them (instead I installed gpg2). If you did it like me, you’ll have problems because git doesn’t recognice gpg2 but gpg. So you must specify that you want to use gpg2 with this command:

$ git config --global gpg.program gpg2

Notes

On deleting your GPG key from GitHub

If you delete your GPG key from GitHub your commits will look like this:

With the Unverified tag in every commit you signed with that key. I don’t know what happens when someone revoke a key, but I guess it’s the same.

Conclusions

If you did this and didn’t get any error, congrats! You’re ready to use GPG at GitHub (and then on email, and you should).

Even if you use another website, like GitLab, it doesn’t matter. You sign your commit, and every is commited and pushed.

You should now use a GPG key and sign every commit you do. Because verifying yourself is important!