GPG-signed commits on GitHub are a secure way to ensure updates and integrity of your contributions to a repository.
STEP 0: first install the GPG
For the easiest installation of GPG, Homebrew package manager is the tool to use. Similar to Linux's apt or rpm package managers, it allows us to do a quick one-line installation.
brew install gnupg
Check installation
gpg --version
π‘ NOTE: If you use Linux, just use apt get instead of brew, if you use Windows, search on Google
Step 1: Checking Existing GPG Keys
Before creating a new GPG key, it's a good idea to check if you already have one. Use the following command to list your GPG keys:
gpg --list-secret-key --keyid-format LONG
π‘ NOTE: If it doesn't show anything it means you don't have any keys yet
Step 2: Creating a New GPG Key
If you don't have a GPG key or want to create a new one, follow these steps:
gpg --full-generate-key
You will be asked to make a few choices:
- Key type: We recommend RSA.
- Key Size: Generally, 4096 bits is secure.
- Key validity: Choose an option that best suits your needs. For example, '0' for never expire or '1y' for one year.
- Real name: Your name.
- Email Address: The email address associated with your GitHub account.
- Comment: An extra comment.
- Confirm your choices.
You will be asked to create a password and confirm it.
Step 3: Exporting your GPG Key
Now, export your GPG key in ASCII format so you can add it to GitHub:
gpg --armor --export <Key ID>
π‘ NOTE: Replace with the ID of the GPG key you want to export
Step 4: Adding your GPG Key to GitHub
Go to GitHub, go to your profile settings, and click "GPG Keys" in the left menu. Paste the GPG key exported in the previous step into this field and click "Add GPG Key".
Step 5: Configuring Git
Now configure Git to use your GPG key to sign commits. Use the following commands:
git config --global user.signingkey <Key ID>
π‘ NOTE: Replace with the ID of the GPG key you want to export
You need to export the GPG_TTY variable, so you don't have to do this every time, just edit your bash profile (in my case I use .bashrc
) and paste this:
export GPG_TTY=$(tty)
Step 6: Enabling Automatic Commit and Tag Signing
Enable automatic signing of commits and tags with the following commands:
git config --global commit.gpgsign true
git config --global tag.gpgsign true
Step 7: Verifying the Commit Signature
You can check the signature of a commit using the following command:
git log --show-signature -1
It will show information about the commit and the GPG signature associated with it.
π‘ NOTE: you need to be in a directory that has git started
Step 8: Configuring Other Email Addresses
If you want to sign commits with other email addresses, follow these steps:
gpg --edit-key <Key ID>
π‘ NOTE: Replace with the ID of the GPG key you want to export
This command will open a new interface, allowing you to add new features
adduid
Then follow the instructions to add a new name and email address. You can also configure trust for the new identity.
uid 2
π‘ NOTE: You can see that the other option is now checked
Now type the trust
command and follow the instructions.
Example: trust
option 5 = I trust ultimately
and y
After adding the additional identities, remember to save the changes with the save
command.
save
Thanks for reading!
If you have any questions, complaints or tips, you can leave them here in the comments. I will be happy to answer!
ππ See you later! ππ
Support Me
Youtube - WalterNascimentoBarroso
Github - WalterNascimentoBarroso
Codepen - WalterNascimentoBarroso
Top comments (0)