As you may know, GitHub published an article at its blog called “GPG signature verification”. What that means is that you can sign your commits with a GPG key. And that’s cool, because It verifies you as the real commiter.
So, let’s get started!
What do you need?
I use ArchLinux or Mac OS X when I do programming, so Windows users, I’m sorry :(, I’ll add Windows’ settings as soon as I need Windows for programming :). You should install everything as you want (package manager or manually, that’s your business)
- GPG Tools installed (I use ArchLinux or Mac OS X when I do programming, so Windows users, I’m sorry). You should install them with your favourite package manager.
- Git (cli, not a third party application).
Let’s get the party on!
Before you go on the article, you see GitHub’s commits like this:
To start with this you need to have a GPG key generated (I guess you can’t use a revoked key). If you don’t have one, stop here, install GPG Tools and generate one. You have a great tutorial at GitHub’s Help (please don’t use 4096 as the size, you don’t need it. Instead use 2048!).
After generating your public-private key pair you need to add your public key to GitHub’s settings. To see your public key, execute this command first:
$ gpg --list-keys
This command will list your keys in the GPG’s keyring. You then look for the ID of the key in something like that:
pub 2048R/**AB12CD34** 2016-03-17 uid NAME AND EMAIL sub 2048R/EF9AC987 2016-03-17
In this example the ID will be
Then you export the publick key with this command. Note that it will print the public key at the terminal, so you might want to use a redirection:
$ gpg --armor --export AB12CD34
AB12CD34 should be your GPG key ID. Copy your public key and go to GitHub.com > Settings > SSH and GPG keys.
You will see this:
Press the “New GPG key” button and paste your public key:
And press on “Add GPG key”. You will now have your GPG key ready to sign your commits!
When you’re ready to commit, you must use this command:
$ git commit -S -m "MSG"
-S means “Sign”.
Yay! Wait a second… Do you remember the first image? Now your commits will look like this:
Verified tag. Also you may notice this when you’re reading a commit and click on the
Enjoy the sign!
Once you have done everything I put up there, let’s improve the set up.
Automatically sign every commit
Using the last command is a bit odd. Personally I forget to put the
-S in the last commits I did. So I found a way to automatically sign every commit I do (and you too).
First of you’ll put the GPG key ID at the
.gitconfig file with this (remember that
AB12CD34 is your GPG key ID!). This will identify your key automatically and you have to do nothing:
$ git config --global user.signingkey AB12CD34
Then you have to tell to
git “hey, autosign this!” with this command:
$ git config --global commit.gpgsign true
And you’re ready to go!
Mac OS X workaround
When I set up GPG Tools on Mac, I did through
brew. I just installed 2 or 3 from the GPG Tools pack, so
gpg was not one of them (instead I installed
gpg2). If you did it like me, you’ll have problems because git doesn’t recognice
gpg. So you must specify that you want to use
gpg2 with this command:
$ git config --global gpg.program gpg2
On deleting your GPG key from GitHub
If you delete your GPG key from GitHub your commits will look like this:
Unverified tag in every commit you signed with that key. I don’t know what happens when someone revoke a key, but I guess it’s the same.
If you did this and didn’t get any error, congrats! You’re ready to use GPG at GitHub (and then on email, and you should).
Even if you use another website, like GitLab, it doesn’t matter. You sign your commit, and every is commited and pushed.
You should now use a GPG key and sign every commit you do. Because verifying yourself is important!