It is important to sign Git commits for your source code to avoid being compromised into source code. If you don’t know how, I will guide to sign Git commits in this post.
Why Should I Sign Git Commits?
Clearly, this is the first question that bumps into your mind after hearing about signing Git commits.
Okay, if you’re into Git, you might have already known that you can change git commit author name and email in a simple command.
$ git config user.name 'Pete Houston' $ git config user.email 'email@example.com'
Wait, if it is my code, then I should configure my git repositories like above, but everyone can change their config to pretend their commits being mine.
Oh wow, so somebody tries to claim to be me and somehow can pushed their malicious code into production branches then I’m totally f*cked for sure.
Also, with signing git commits, it guarantees that my code is my work, it is my copyright and nobody else can fake it.
So, it is good to sign your Git commits, don’t you think?
Steps to setup for signing Git commits
For Windows, you need to install following tools:
Git Bash for Windows package has a pre-built
gpg utilities but it’s kinda outdated, so you should download and install GPG4Win for latest version. Also, make sure you have Git version 2.0+ for it to work.
On Linux or Mac, if you have setup development environment then you have all necessary tools for signing.
Let’s go to next steps.
1. Generate a GPG key pair
Try to use one of following command to generate a GPG key pair for your work.
$ gpg --full-generate-key $ gpg --default-new-key-algo rsa4096 --gen-key
You will enter the prompt to create key.
I recommend to use max key size of 4096, and key should not expire.
At last step, you will need to input your name and email. If you use Github, so use your Github name and email. If you use other Git services, then input the appropriate values.
2. List your keys
To make sure your GPG key pair is created, execute following command and verify output.
$ gpg --list-secret-keys --keyid-format LONG
You will see something similar to this.
/Users/hubot/.gnupg/secring.gpg ------------------------------------ sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10] uid Hubot ssb 4096R/42B317FD4BA89E7A 2016-03-10
Copy your key ID from result to do following steps. In this case, the key ID is 3AA5C34371567BD2
3. Share your public keys
Make your key public and recognizable around Internet now. Run this command:
$ gpg --send-keys 3AA5C34371567BD2
Don’t worry, this command will send public key only, it never sends your secret key!
4. Add key to Github
Now, let’s export your public key from key ID.
$ gpg --armor --export 3AA5C34371567BD2
It will display the GPG key including both header and footer text, something like this:
-----BEGIN PGP PUBLIC KEY BLOCK----- KEY_CONTENT.... -----END PGP PUBLIC KEY BLOCK-----
Go to Settings > SSH and GPG keys section on Github.
Click green button to add New GPG Key.
Copy and paste above public key and click button to add.
5. Config GPG program
To sign your git commits, you will need to specify a GPG program. Try following commands
// on Windows $ git config --global gpg.program "/c/Program Files (x86)/GnuPG/bin/gpg.exe" // on Linux / Mac $ which gpg /usr/local/bin/gpg $ git config --global gpg.program "/usr/local/bin/gpg"
Just change to your gpg executable path.
6. Setup Git for auto-sign every commit
To specify a key for auto-sign commits in a single repository, execute these commands:
$ git config user.signingkey 3AA5C34371567BD2 $ git config commit.gpgsign true
If you want to use this GPG key ID for all Git repositories on your computer, add option
7. (Optional) Disable TTY
If you don’t using command-line for Git, but directly inside IDEs like VS Code, Sublime Text, Atom… you might want to disable TTY. It troubles sometimes with auto-signing commits.
$ echo 'no-tty' >> ~/.gnupg/gpg.conf
There you go, it’s done now!
You can try to create a new Git commit and will see a little badge Verified beside your commit ID.