Post

Sign git commits with GPG key

Posted Updated
Preview Image
By Roman Tsypuk 3 min read

Abstract

Git provides the possibility to add a signature to each commit. By doing this you instrument you version control system with instructions to verify the identity of the person who performed commit operation. To do these you need to generate private and public key, configure git client on your machine to use GPG key and submit public key to you VCS - GitHub, gitlab etc. Below you can find the steps to implement commit signature.

Generate the key

1

$ brew install gpg

1
2
3
4
5
6
7

$ gpg --gen-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Enter Real name, email address and passphrase,

Once the process of key generation is complete, you can verify it by running:

1
2
3
4
5
6
7
8
9
10
11

$ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2022-01-17
/Users/user/.gnupg/pubring.kbx
---------------------------------
pub   rsa2048 2020-04-04 [SC] [expires: 2022-04-04]
      E2A9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
uid           [ultimate] Mr.Robot <mr.robot.xxxxxxxxxxxxx@gmail.com>
sub   rsa2048 2020-04-04 [E] [expires: 2022-04-04]

Copy the public key into buffer to paste into your GIT account settings.

1

gpg --armor --export E2A9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | pbcopy

GPG useful commands

1
2
3
4
5

$ gpg --delete-key key-ID
$ gpg --list-keys
$ gpg --delete-key keyID1 keyID2 keyID3
$ gpg --delete-secret-key key-ID
$ gpg --default-new-key-algo rsa4096 --gen-keys

Configure git client to sign commits

Update your .gitconfig file with the following items Assign signkey the value from gpg command output. Turn on gpg signature by setting gpgsign = true and define the tool that is used for signature. Part of gitconfig with signature enabled:

1
2
3
4
5
6
7
8
9
10
11

\\[user]
name = XXXXXX
email = xxxx@xxxx.xxx
signkey = E2A9xxxxxxxxx
[commit]
gpgsign = true
[merge]
tool = opendiff
conflictstyle = diff3
[gpg]
program = gpg

Add signature to git-based server

Verify commits

OnceThe GPG signature is added to commit, you can verify commits on you repository for the validity of the key and also check the commit details with git internal tools:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

$ git log --show-signature
commit b6df3265fce5e0809a5409e77da94c97ef7c70cc (HEAD -> master, origin/master)
gpg: Signature made Wed Feb 12 13:26:20 2020 EET
gpg:                using RSA key E2A9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
gpg:                issuer "mr.robot.xxxxxxxxxxxxx@gmail.com"
gpg: Good signature from "Mr.Robot <mr.robot.xxxxxxxxxxxxx@gmail.com>" [ultimate]
Author: Mr.Robot <mr.robot.xxxxxxxxxxxxx@gmail.com>
Date:   Wed Feb 12 13:26:19 2020 +0200
    added description for prometheus real-life statistics
commit dfb25b1d487a4b0433b33c3cd39e00e0fe5cf770
gpg: Signature made Wed Feb 12 13:17:39 2020 EET
gpg:                using RSA key E2A9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
gpg:                issuer "mr.robot.xxxxxxxxxxxxx@gmail.com"
gpg: Good signature from "Mr.Robot <mr.robot.xxxxxxxxxxxxx@gmail.com>" [ultimate]
Author: Mr.Robot <mr.robot.xxxxxxxxxxxxx@gmail.com>
Date:   Wed Feb 12 13:17:39 2020 +0200
    change directories structure

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

$ git cat-file -p b6df3265fce5e0809a5409e77da94c97ef7c70cc
tree 440996dc5e3609cde15a5826dae92a87469c9341
parent dfb25b1d487a4b0433b33c3cd39e00e0fe5cf770
author Mr.Robot <mr.robot.xxxxxxxxxxxxx@gmail.com> 1581506779 +0200
committer Mr.Robot <mr.robot.xxxxxxxxxxxxx@gmail.com> 1581506779 +0200
gpgsig -----BEGIN PGP SIGNATURE-----
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 =xxxx
 -----END PGP SIGNATURE-----

Commit process

Now once you have complete codechanges in any repo, on commit operation you will receive the message to enter your passphrase for GPG key and after that you commit will be signed with this key.

1
2
3
4
5
6
7
8
9

┌────────────────────────────────────────────────────────────────┐
│ Please enter the passphrase to unlock the OpenPGP secret key:  │
│ "Xxx Xxxxx <xxxf@xxx.coxxm>"                                   │
│ 4096-bit RSA key, ID XXXXXXXXXXXXXXXX,                         │
│ created 2020-01-18.                                            │
│                                                                │
│                                                                │
│ Passphrase: __________________________________________________ │

Passphrase remove

With gpg v2.2.17, you can remove passphrase

1
2
3
4

$ gpg --edit-key <keyid>
$ passwd

Enter previous password when will be prompted and next empty new one.
git, gpg, key, signature
git gpg key signature
This post is licensed under CC BY 4.0 by the author.