How to Sign Your Commits?

5 min read
#blog#github

In this article you'll learn to sign your work like a famous artist.

As you read it. You can sign every piece of code you write, every little piece of art you program in each commit. Why is it important to sign commits? By signing commits or tags you create locally, other people can verify that your work comes from a trusted source, such as your laptop or personal computer. A commit or tag that has a cryptographically verifiable GPG signature, GitHub or GitLab marks the commit or tag as verified:

Even in repositories, administrators can implement signing as something required on a branch to block all confirmations that are not signed and verified. For more information, see "About required commit signing". GitHub will automatically use GPG to sign confirmations you make using GitHub's web interface except when you merge and fuse a pull request of which you are not the author. Confirmations signed by GitHub will have a verified status on GitHub. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg.

What is GPG?

GPG stands for GNU Privacy Guard, it's a free software encryption and digital signature tool under GPL license. You can use GPG to sign commits with a GPG key that you generate yourself.

Verifying Commits Using GPG

To sign commits using GPG and have them verified on GitHub, you must follow these steps:

Generate a New Key

You can generate a new GPG key to use in your commits and tags. Each signature can use different cryptographic algorithms. The algorithms compatible with GitHub are:

  • RSA
  • ElGamal
  • DSA
  • ECDH
  • ECDSA
  • EdDSA

Note: Before generating a new GPG key, make sure you have verified your email address on GitHub, if you haven't done so you won't be able to sign commits with GPG.

  1. Download and install the GPG command line for your operating system.
  2. Open the console on Linux or Git Bash on Windows
  3. Generate a GPG key pair. Your key must use RSA. If you're using version 2.1.17 or higher use the command gpg --full-generate-key. If you're using an older version use the command gpg --default-new-key-algo rsa4096 --gen-key.
  4. In more modern versions you get a prompt where you must specify the kind of keys you want. Your key must be at least 4096 bits. You must also enter the validity period the key should have.
  5. Verify your user ID information. Note: When asked to enter your email address, make sure to put the one you use in your GitHub account.
  6. Write a password for the key
  7. Use the command gpg --list-secret-keys --keyid-format LONG to list the GPG keys for which you have both a public and private key. A private key is required to register confirmations or tags. Some GPG installations on Linux may require you to use gpg2 instead of gpg.
  8. From the list of GPG keys, copy the ID of the GPG key you want to use, in this example, the GPG key ID is 3AA5C34371567BD2: $ gpg --list-secret-keys --keyid-format LONG /Users/ragnarok22/.gnupg/secring.gpg ------------------------------------ sec 4096R/3AA5C34371567BD2 2021-03-17 [expires: 2021-04-17] uid Ragnarok22 ssb 4096R/42B317FD4BA89E7A 2021-03-17
  9. Paste the following text substituting the ID of the GPG key you want to use. In this example the ID is 3AA5C34371567BD2: $ gpg --armor --export 3AA5C34371567BD2
  10. Copy your GPG key, starting with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

Add a GPG Key to Your GitHub Account

Once you have your GPG key you must add it to your account, to do so you must go to GitHub settings. Go to your profile, settings, SSH and GPG keys. Once there you just need to click on New GPG key, in the key field paste the GPG key and click the add GPG key button. To confirm this action you must enter your GitHub password.

Use the Key for Your Commits

We already have our GPG key and GitHub knows it but, how do we tell Git to use the key to sign commits and tags? Open the terminal on Linux or Git Bash on Windows, use the command gpg --list-secret-keys --keyid-format LONG to list the GPG keys. From the list of GPG keys, copy the ID of the GPG key you want to use (the same one you added on GitHub). In this example, the GPG key ID is 3AA5C34371567BD2. To configure your GPG signing key in Git, paste the following command where you must substitute the ID of the GPG key you want to use: git config --global user.signingkey 3AA5C34371567BD2. This command only adds to your Git configuration file .gitconfig the line signingkey = 3AA5C34371567BD2. The next time you go to make a commit GPG will ask you for the password so you can access the key.

Conclusions

As you have been able to see, signing commits can be somewhat extensive at first but nothing complicated and very useful if you want to implement greater security. If you want to know more about how to work with multi-signatures you can read this article. If you want to know how to sign tags you can read this GitHub article.