How to Set Up GPG Key for Signed Git Commits: A Step-by-Step Guide
When working with Git, especially on public repositories like GitHub, signing your commits with a GPG key ensures authenticity and trust. Here’s a comprehensive guide to help you generate and configure a GPG key for signing your Git commits.
Step 1: Generate a GPG Key
-
Open Git Bash:
- Launch Git Bash from your applications.
Generate a GPG Key:
In Git Bash, run:
gpg --full-generate-key
-
Choose Key Type:
- Select the type of key you want to generate. Go with the default option:
(9) ECC (sign and encrypt) *default*
- Select the type of key you want to generate. Go with the default option:
- Choose option 9 for ECC (Elliptic Curve Cryptography).
-
Select Elliptic Curve:
- When asked to select an elliptic curve, choose the default:
(1) Curve 25519 *default*
- When asked to select an elliptic curve, choose the default:
- Pick 1 for Curve 25519.
-
Set Key Expiry Date:
- You will need to set an expiration date for your key. To create a key with no expiration, enter
0
and press Enter.
- You will need to set an expiration date for your key. To create a key with no expiration, enter
-
Confirm Key Details:
- Confirm your choices by typing
y
and pressing Enter.
- Confirm your choices by typing
-
Enter User Information:
- Provide your name, email address, and an optional comment. For example:
Real name: Your Name Email address: example@gmail.com Comment: My GPG Key
- Press Enter after each input.
-
Final Confirmation:
- Type
o
to confirm the details and press Enter.
- Type
-
Set Passphrase:
-
Passphrase Prompt: A popup will appear asking you to enter a passphrase.
- 9.1: Do not enter anything; just click **OK.
- 9.2: Another popup will appear. Click **Yes when it asks about protection (protection is not needed).
- 9.3: The first popup will reappear. Repeat the process (this is just a confirmation process, so don’t worry).
-
Passphrase Prompt: A popup will appear asking you to enter a passphrase.
Step 2: Locate Your GPG Key
- List Secret Keys: To list your GPG keys, run:
gpg --list-secret-keys --keyid-format=long
-
Identify Key ID:
- Look for the line starting with
sec
that contains your key ID. It will look like:
sec 4096R/12345678 2024-09-15 [expires: 2025-09-15]
- Look for the line starting with
- Copy the key ID (the portion after
4096R/
, e.g.,12345678
).
-
Update Git Configuration:
- Open the
.gitconfig
file, typically found atC:\Users\<username>\.gitconfig
, in a text editor like Notepad. - Add the following line under the
[user]
section:
[user] signingkey = 12345678
- Open the
-
Save and Exit:
- Save the changes and close the text editor.
Step 3: Export Your Public Key
- Export Public Key: Run the following command to export your public key:
gpg --armor --export
-
Copy Public Key:
- Copy everything between and including the lines:
-----BEGIN PGP PUBLIC KEY BLOCK----- ... -----END PGP PUBLIC KEY BLOCK-----
Step 4: Add Your GPG Key to GitHub
Log in to GitHub:
Open GitHub in your browser and log in to your account.-
Navigate to SSH and GPG Keys:
- Click on your profile picture, go to Settings, and find SSH and GPG keys in the sidebar.
-
Add New GPG Key:
- Click New GPG Key.
-
Paste and Save Key:
- Paste the public key you copied earlier and click Add GPG Key.
-
Authenticate:
- Enter your GitHub password if prompted to complete the process.
Step 5: Enable Commit Signing in Git
- Configure Git: To enable commit signing, run:
git config --global commit.gpgsign true
- Verify Configuration: Ensure commit signing is enabled by running:
git config --global --get commit.gpgsign
It should return true
.
Step 6: Test Signing Your Commits
- Create a Test Repository: If you don’t have a test repository, create one with:
git init test-repo
cd test-repo
- Make a Test Commit: Add a file and make a commit:
echo "Test file" > test.txt
git add test.txt
git commit -m "Test commit"
- Verify Signed Commit: To verify that your commit is signed, run:
git log --show-signature
You should see something like gpg: Signature made
and gpg: Good signature
.
By following these steps, you can securely sign your Git commits, ensuring that your work is authenticated and trusted. If you encounter any issues or have questions, feel free to reach out!
Top comments (0)