Generally speaking, most organisations do not check if a commit is signed or not. Even worse, more companies do not care about this. It might subjective but I like to have the
If you commit from GitHub, for example: adding or editing a README, you will get the verified bagde. The same will happen with the client
GitKraken, but if you commit using the
git cli this will not happen unless you configure it.
Now, I will assume that you are using a mac but in case you do not, you can google yourself some of the installation steps.
In order to sign a commit you will need to generate a key, and for this you are going to use GPG. But first, you need brew to be installed, if you do not have it yet, it is a must have package manager for mac that you can download here.
> brew install gnupg > brew install pinentry-mac > echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf > killall gpg-agent
Pinentry as it is stated on the GPG site it is a collection of dialogs that allows you, for example, to input the passphrase of the private key. In order for this to work we need to indicate the path where it is installed into the GPG configuration and then kill the service (just in case) for it to take the changes.
Generating a set of keys
> gpg --full-generate-key (you can customise the key creation or just press enter to use the defaults)
Will generate a private key from which you are going to generate and export the public key. The id of the key will be shown when you generate the key or you can fetch it by running:
> gpg --list-secret-keys
And you will get something like this:
sec rsa2048 2019-06-07 [SC] KEY_ID_HERE uid [ absolut ] Pablo Morelli <[email protected]> ssb rsa2048 2019-06-07 [E]
After you have your ID, execute:
> gpg --export --armor YOUR_KEY_ID 2> cat
You will see the public key on the terminal, now you can copy it and go to GitHub.
Adding public key to GitHub account
Settings -> SSH and GPG Keys -> New GPG Key and paste the content of your key and after submiting you will see something like this.
Doing your first verified commit
When you work with the
git cli there is a huge probability that you work with different accounts (for example one for work and one personal) and/or that you have more than one GPG key on your system.
To avoid problems with git not knowing which configuration to pick you will indicate that for the repo where you are standing or for all the repos you will use the GPG key that contains a certain ID.
> git config --local gpg.program "gpg" > git config --local user.signingKey "YOUR_KEY_ID_INSIDE_THE_QUOTES" // will apply to the working directory > git config --global gpg.program "gpg" > git config --global user.signingKey "YOUR_KEY_ID_INSIDE_THE_QUOTES" // will apply to the all the repositories except when overriden
You are almost ready to go, but you need to know that by default
git commit does not sign the commits unless you specify the argument
-S. So you have two options:
> git commit -S -m "My commit message"
Or you can setup automatic signing for the repository or all the repositories.
> git config --local commit.gpgsign "true" > git config --global commit.gpgsign "true" // if you want to set up for all the repositories
If you did the step above, the argument
-S is no longer needed.
Checking git configuration
When you are unsure about your configuration you can execute
git config --local -l to list the configuration for the working directory and you should see something like this:
gpg.program=gpg commit.gpgsign=true user.signingkey=YOUR_KEY_ID
Back up your private key
Keys are passwords, so you should save them somewhere safe and revoke + change periodically. It is trivial to revoke and to generate a new key for GitHub but it may be troublesome for some other systems that uses your public key. Now lets image that you change your computer, you wont be able to sign because you don’t have your key; in this case a backup is recommended.
gpg --export-secret-keys YOUR_KEY_ID > some_private_key_name
Now you can save this file to some secure vault, and if you ever need to import it on a new machine, execute:
gpg --import some_private_key_name
As I mentioned before, some times when you work using the
git cli you end up mixing accounts, and it could happen to commit like this:
You can of course leave it like that or do a rebase of the commit; but you can also check first using
git config --local -l which is the
user.email for that working directory.
In case the email does not match with the email linked in GitHub you can change it doing:
> git config --local user.name "GitHub name" > git config --local user.email "[email protected]"
I hope you liked the post, if so, don’t forget to share it so this can reach to more people :)
2019-06-09 20:22 +0200