How to sign your commits

• #git
• #github
• #ssh

→ September 2 2022

You need sign your commits right now!!!

If you happen to be a github user (like most of the software developers out there) you might have seen a “Verified” green badge next to some commits.

• What does it mean?
• Are they part of secret society of Verified users?
• Should I be signing my commits too?
• Is math related to cryptography?

Let’s be real here, we all like shiny green badges. And that’s enough reason to sign our commits.

Table of contents

• Using GPG to sign commits
• Add GPG key to Github
• Configure Git to use GPG key
• Using SSH keys to Sign Commits
• Resources

Using GPG to sign commits

Before we get started, please check the version of gpg is up to date by running:

gpg --version

Mine is gpg (GnuPG) 2.2.37.

Generate the GPG key

gpg --full-generate-key

1. what kind of key you want: select RSA (sign only) by typing 4 and hit Enter
2. keysize: type 4096 and hit Enter
3. how long the key should be valid: recommended 2y or 3y

Answer the questions:

1. Real name: Your name or your Github username
2. Email address: The verified email address for your github account
   • Github specific: You could also use the no-reply email of your Github account: At email settings bellow the Keep my email addresses private checkbox should be the no-reply email like @users.noreply.github.com
3. Assuming everything is fine, type O to confirm
4. Provide a passphrase: Choose a secure passphrase
   • personal recommendation: create a passphrase made of 12 to 16 characters with at least one special character ($, #, @, ...)

Test the GPG key

echo 'hi!' | gpg --clear-sign > test.txt
gpg --verify test.txt

It should say something like: Good signature from "USERNAME (Test Key) <example@email.com>"

Get the GPG key ID

gpg --list-secret-keys --keyid-format=long
# or
gpg -K --keyid-format=short

# Output:

sec   rsa4096/A537823F 2022-09-02 [SC] [expires: 2023-09-02]
    E98E6B0663442DE0463E2A880FE0F073A537823F
uid         [ultimate] USERNAME (Test Key) <example@email.com>

In this case the key ID is A537823F (from rsa4096/A537823F)

Add GPG key to Github

• Get the public key

  gpg --armor --export A537823F
  
  # generated key
  # -----BEGIN PGP PUBLIC KEY BLOCK-----
  # ....
  # -----END PGP PUBLIC KEY BLOCK-----

• Copy the generated key

• Go to SSH and GPG keys on github or Add new GPG key on github

  • More details here

• Paste the generated key

• Click Add GPG key

Configure Git to use GPG key

With the key ID A537823F

• Add signingkey

  git config --global user.signingkey A537823F

• Enable sign for all commits and tags

  git config --global commit.gpgSign true
  git config --global tag.gpgSign true

• Set your name and email

  git config --global user.name USERNAME
  git config --global user.email example@email.com

Gpg agent configuration

• Export GPG_TTY append the following to your .bashrc / .zshrc or your initialization file

  export GPG_TTY=$(tty)
  
  # For fish users:
  set -x GPG_TTY $(tty)

• Configure gpg.conf

  • create ~/.gnupg/gpg.conf
  • append use-agent to ~/.gnupg/gpg.conf

Using SSH keys to Sign Commits

If you don’t have a ssh key already, check:

• Generating a new SSH key - Github Docs
• Adding a new SSH key - Github Docs

Don’t forget to set the Key type to Signing key

If you do have one, then:

Configure git to use ssh

git config --global gpg.format ssh

Copy your public ssh key

cat ~/.ssh/id_ed25519.pub

Set the signkey to your public ssh key (replace the text inside the quotes)

# Beware of the quotes
git config --global user.signingkey 'key::ssh-ed25519 AAAAC3(...) example@email.com'

Verify your signed commit

git commit -m "Some message"

# Verify the commit

git verify-commit 488a8d82 # get the hash with git log
# Or
git log --show-signature

Resources

• About signature verification - Github Docs
• Generate a new SSH key - Github Docs
• Tell git about your keys - Github Docs
• How (and why) to sign Git commits
• Signing Git Commits with SSH Keys
• GPG agent
• OpenPGP Best Practices