DEV Community

Walter Nascimento
Walter Nascimento

Posted on

Commits signed on GITHUB using GPG key

GPG-signed commits on GitHub are a secure way to ensure updates and integrity of your contributions to a repository.

STEP 0: first install the GPG

For the easiest installation of GPG, Homebrew package manager is the tool to use. Similar to Linux's apt or rpm package managers, it allows us to do a quick one-line installation.

brew install gnupg
Enter fullscreen mode Exit fullscreen mode

Check installation

gpg --version
Enter fullscreen mode Exit fullscreen mode

πŸ’‘ NOTE: If you use Linux, just use apt get instead of brew, if you use Windows, search on Google

Step 1: Checking Existing GPG Keys

Before creating a new GPG key, it's a good idea to check if you already have one. Use the following command to list your GPG keys:

gpg --list-secret-key --keyid-format LONG
Enter fullscreen mode Exit fullscreen mode

πŸ’‘ NOTE: If it doesn't show anything it means you don't have any keys yet

Step 2: Creating a New GPG Key

If you don't have a GPG key or want to create a new one, follow these steps:

gpg --full-generate-key
Enter fullscreen mode Exit fullscreen mode

You will be asked to make a few choices:

  • Key type: We recommend RSA.
  • Key Size: Generally, 4096 bits is secure.
  • Key validity: Choose an option that best suits your needs. For example, '0' for never expire or '1y' for one year.
  • Real name: Your name.
  • Email Address: The email address associated with your GitHub account.
  • Comment: An extra comment.
  • Confirm your choices.

You will be asked to create a password and confirm it.

Step 3: Exporting your GPG Key

Now, export your GPG key in ASCII format so you can add it to GitHub:

gpg --armor --export <Key ID>
Enter fullscreen mode Exit fullscreen mode

πŸ’‘ NOTE: Replace with the ID of the GPG key you want to export

Step 4: Adding your GPG Key to GitHub

Go to GitHub, go to your profile settings, and click "GPG Keys" in the left menu. Paste the GPG key exported in the previous step into this field and click "Add GPG Key".

Step 5: Configuring Git

Now configure Git to use your GPG key to sign commits. Use the following commands:

git config --global user.signingkey <Key ID>
Enter fullscreen mode Exit fullscreen mode

πŸ’‘ NOTE: Replace with the ID of the GPG key you want to export

You need to export the GPG_TTY variable, so you don't have to do this every time, just edit your bash profile (in my case I use .bashrc) and paste this:

export GPG_TTY=$(tty)
Enter fullscreen mode Exit fullscreen mode

Step 6: Enabling Automatic Commit and Tag Signing

Enable automatic signing of commits and tags with the following commands:

git config --global commit.gpgsign true
git config --global tag.gpgsign true
Enter fullscreen mode Exit fullscreen mode

Step 7: Verifying the Commit Signature

You can check the signature of a commit using the following command:

git log --show-signature -1
Enter fullscreen mode Exit fullscreen mode

It will show information about the commit and the GPG signature associated with it.

πŸ’‘ NOTE: you need to be in a directory that has git started

Step 8: Configuring Other Email Addresses

If you want to sign commits with other email addresses, follow these steps:

gpg --edit-key <Key ID>
Enter fullscreen mode Exit fullscreen mode

πŸ’‘ NOTE: Replace with the ID of the GPG key you want to export

This command will open a new interface, allowing you to add new features

adduid
Enter fullscreen mode Exit fullscreen mode

Then follow the instructions to add a new name and email address. You can also configure trust for the new identity.

uid 2
Enter fullscreen mode Exit fullscreen mode

πŸ’‘ NOTE: You can see that the other option is now checked

Now type the trust command and follow the instructions.
Example: trust option 5 = I trust ultimately and y

After adding the additional identities, remember to save the changes with the save command.

save
Enter fullscreen mode Exit fullscreen mode

Thanks for reading!

If you have any questions, complaints or tips, you can leave them here in the comments. I will be happy to answer!

😊😊 See you later! 😊😊


Support Me

Youtube - WalterNascimentoBarroso
Github - WalterNascimentoBarroso
Codepen - WalterNascimentoBarroso

Top comments (0)