I recently discovered an interesting thing you can do with git commits. Signing individual commits. Now I know that this may not be new to a lot of people, but from my experience looking around GitHub, it doesn’t appear as though many people do it. In fact I’ve only seen one person other than myself with verified commits! So I wanted to share with you all today, how you can sign your own commits.

How to make a GPG Key

  1. Open a terminal and type out gpg --gen-key
  2. At the prompt, specify the kind of key you want (default RSA and RSA)
  3. Enter the desired size and expiration time (you can set it to never expire)
  4. Enter an ID and Secure Password
  5. Use gpg --list-secret-keys --keyid-format LONG to get a list of your keys
/Users/devinmatte/.gnupg/secring.gpg
------------------------------------
sec 4096R/3AA5C34371567BD2 2017-04-17 [expires: 2017-04-18]
uid devinmatte
ssb 4096R/42B317FD4BA89E7A 2017-04-17

Signing Commits

Step 1

$ gpg --list-secret-keys --keyid-format LONG
/Users/devinmatte/.gnupg/secring.gpg
------------------------------------
sec 4096R/3AA5C34371567BD2 2017-04-17 [expires: 2017-04-18]
uid devinmatte
ssb 4096R/42B317FD4BA89E7A 2017-04-17

Step 2

Now you’re set up to start signing commits. The way you’d do that is with git commit -S. However you really should want to sign all your commits. So it's quite obvious that your work is yours.

Step 3

  • git config --global commit.gpgsign true sets All Commits inside All Repositories on your machine to default as signed.
  • git config commit.gpgsign true sets All Commits inside a single repository on your machine to default as signed.

Step 4

  • Edit ~/.gnupg/gpg.conf and add these two lines to the bottom:
no-tty
use-agent
  • Now your password will be saved, and third party software will be able to commit like normal. Except now, all your commits are signed!

Verifying Commits Online

  1. Export your full chain gpg --armor --export 3AA5C34371567BD2
  2. Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----
  3. Copy that to GitHub using the instructions from their site.

So once you have your GPG key added to GitHub, all signed commits will display as verified. Currently it appears that GitHub and GitLab both support GPG signing in their UI.

Interested to learn more? Read the documentation on git’s site

Originally published at https://devinmatte.me.

Software Engineering Student at Rochester Institute of Technology with a focus on Full Stack Web Development and DevOps

Software Engineering Student at Rochester Institute of Technology with a focus on Full Stack Web Development and DevOps