Jocodoma

Joco's Tech Blog

0%

Managing Commit Signature Verification

Posted on In Disqus:
Symbols count in article: 4.1k Reading time ≈ 4 mins.

Signing Git commits using GPG keys

The idea here is to setup GPG signature verification for my blog repo to make sure that all commits are from me or someone I trust.

Signing Git commits using GPG keys is the process of using a cryptographic identity to assert that a given chance to a piece of software was made by a given individual, organization, or other entity. This is accomplished by associating a digital signature with the commit itself. Other users of the software can then validate that the software being patched was modified only by source they trust.

GNU Privacy Guard

GPG stands for GNU Privacy Guard (GnuPG or GPG), a free-software, complies with RFC 4880, the IETF standards-track specification of OpenPGP. You can find more details on Wikipedia about GNU Privacy Guard.

Git with GPG

Git has tools to support signing commits and tags with GPG. Please refer to Git documentation for more details - Git Tools - Signing Your Work.

In short, to sign Git commits with a GPG key, you must have or generate a GPG key pair. Each GPG key pair is uniquely identified by a fingerprint, also called a Key ID, which is represented by a string of 40 hexadecimal characters. The GPG keys you have access to are stored on your computer in a structure called a GPG keyring. To view your keyring from a command line, you invoke the gpg command-line program with the --list-keys or --list-secret-keys options to list all keys in your keyring or only the keys to which you have an associated private part, respectively.

Once you have a GPG key, you must then inform the repositories on your local computer to use the key of your choice when signing commits. Finally, you must ensure that your invocations to the git commit command tell Git to sign the commit. This is most easily accomplished by aliasing git commit to git commit --gpg-sign or an equivalent (git commit -S).

Procedure

Step 1 - Checking for Existing GPG Keys

https://help.github.com/articles/checking-for-existing-gpg-keys/

Step 2 - Generate a GPG Keypair

https://help.github.com/articles/generating-a-new-gpg-key/

macOS with Homebrew

Ubuntu 16.04.5 LTS

https://www.hiroom2.com/2016/08/14/ubuntu-16-04-create-gpg-key/

Step 3 - Configure Git or a specific Git Project

This step is optional, but recommended.

  1. Find the fingerprint of the GPG key you’d like to use to sign commits with.
    1
    gpg --list-secret-keys --keyid-format LONG
  2. Navigate to the folder containing your Git project.
  3. Inform git of the GPG key you’d like to use to sign commits to this project. Assuming your GPG key ID is C85315FD87CF0009, you would invoke git config as follows:
    1
    git config user.signingKey C85315FD87CF0009

    Many Git and GPG guides will tell you to use the command git config with the --global option to write the configuration into your home directory’s .gitconfig file. Their advice is intened to simplify your use of Git, but means that your key selection will apply by default (i.e., every commit will be signed using this key unless a specific project’s .git/config file overrides that selection). This can be a potential operational security risk if you’re trying to keep one GitHub account relatively separate from another. This is why we prefer the use of per-repository configurations over user account-wide (“global”) configurations.

https://help.github.com/articles/telling-git-about-your-signing-key/

Step 4 - Associating an Email with your GPG Key

This step is needed if you work with your GitHub.

https://help.github.com/articles/using-a-verified-email-address-in-your-gpg-key/
https://help.github.com/articles/associating-an-email-with-your-gpg-key/

Step 5 - Adding a New GPG Key to your GitHub Account

This step is needed if you work with your GitHub.

https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/

Step 6 - Signing Commits and Tags

You can now sign commits with your newly generated key by invoking git command with the --gpg-sign or -S option, without the need to pass your key ID on the command line. For example:

1
git commit -S

The above is enough to automatically select your configured signing key and create a GPG-signed commit.

Tips:
To configure your Git client to sign commits by default for a local repository, in Git versions 2.0.0 and above, run git config commit.gpgsign true. To sign all commits by default in any local repository on your computer, run git config --global commit.gpgsign true.

https://help.github.com/articles/signing-commits/
https://help.github.com/articles/signing-tags/

Step 7 - Set a Git Commit Alias (Optional)

This step is optional.

  1. Navigate to the folder containing your Git project.
  2. Configure a git alias
    1
    git config alias.cs "commit -S"
    You can now sign commits with your newly generated key by invoking git with your new alias git cs.

References