Sign your commits with a gpg key
Posted on March 15, 2021 by Adrian Wyssmann ‐ 4 min read
Often open source projects require you to sign your git commits in order to verify they are coming from you. I made a quick tutorial on what is needed.
GPG or GNU Privacy Guard is a …
.. complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories.
GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).
Beside of encrypting it is also used for signing commits and tags which is often required by open source project, so it can be verified that the commits came from you. I usually do this also with my personal projects by default.
How to create a key
First you need a private/public key-pair which you can create with gpg -gen-key
or gpg --full-gen-key
. The first one uses default values for key type, key size and does not limit the certificate experience, whereas the latter asks you for more details:
Some things to notice:
- key types: see RSA, DSA
- key size: usually higher is better
- expiring: making keys expired forces you to replace them regularly, which is a good practice
As a next step, you have to provide proper identification to your key
Next you will be asked to enter passphrase and confirm it. You can skip however to creation of a passphrase and leave the key unprotected. This means if somebody gets your private key, he can sign things with your key and even encrypt and decrypt stuff which is only meant for your eyes.
At last, there will be the following dialog:
Once you have enough entropy the key is generated:
It’s very important that you store the .rev
key somewhere safe - together with your passphrase cause your key is stolen, you can revoke it from the Public Key Infrastructure (PKI).
How to sign your commits
However this is not really relevant for signing your commits, as it does not rely on public PKI, but requires you having your public key stored in your remote git account:
- Gitlab: Signing commits with GPG
- Github: Managing commit signature verification
- Bitbucket: Using GPG keys
Once you have the public key stored in your git account, you have to enable signing of the commits. First you have to tell git which key to use. Thus, to use the recently created key 4628049F4CFFD495056E0AEC8363F2D1ABB00CF0E
you would execute
And then you can go on to sign commits using -S
or even tags
I usually sign all by default, thus avoiding typing -S
every time, I configure signing to be enabled by default:
So now your commits will be shown with a green label Verified