Open in app

Sign in

Write

Sign in

Why we need to sign a commit on Git and how GitKraken makes our life easier.

Ayuth Mangmesap
Ayuth’s Story
3 min readApr 3, 2019

--

https://www.gitkraken.com/img/keif-gallery/gallery-mage-wizard.jpg

Finally, GitKraken has been added feature signing commit on v5 and now I’ll show you the power of GitKraken and GitLab that make our life easier than before. In this blog, we’ll walk through how to signing a commit and why we need to sign?

Why we must sign our commit?

Integrity — to verify certainly commit it’s from you.

$ git config --global user.name 'Linus Torvalds'
$ git config --global user.email torvalds@transmeta.com

Now if you’ve executed a command above you’ll be Linus Torvalds! Do you see how easy to be anyone? That’s why we need to sign a commit using GnuPG. If you want to read more information please follow a link below

What are the advantages and disadvantages of cryptographically signing commits and tags in Git?

(This is largely based on A Git Horror Story: Repository Integrity With Signed Commits -a very good read, and more…

softwareengineering.stackexchange.com

Tools we needed.

  1. GnuPG
  2. GitKraken

By default windows don’t provide a GnuPG binary for us that’s why we need to install an executable.

If you are using chocolatey just type a command

choco install gpg4win -y

unless you need to download executable from https://www.gpg4win.org/ and setup and then install GitKraken to make our life easier than command line.

Now we’ve installed a gpg executable on windows and GitKraken, then open GitKraken and go to “File” → “Preferences” → “GPG Preferences” under “GPG Program” click button “Browse” we need to tell GitKraken where is a gpg binary is. Then, browse to “C:\Program Files (x86)\GnuPG\bin\gpg.exe” and click “Open”

GitKraken now knows where is a gpg binary is and then we need to generate new GPG key. I recommended you to put your secret passphase in case of your key have been stolen if they don’t know the pass phase then they can’t use our key.

Let’s add our key to GitLab.

Add gpg public key on GitLab

Goto GitLab select “Settings” → “GPG Keys” and then paste your gpg public key that you copied from GitKraken then click “Add Key” The public key will appear below (for other git providers it’s quite similar you can do this from BitBucket and GitHub too but in this tutorial I used GitLab because I loved it ❤).

Try to commit using GitKraken.

Create some test repository on GitLab web UI or you can use GitKraken to initialize a repository. Your new repository will appear in GitLab.

If you see a repository on gitlab you’ll see a “Verified” label on a commit. Let’s try again by editing a README.md file

Initialize a project using gitkraken and view on gitlab.

The output will be image below

View a signed commit on gitlab.

References

Commit Signing with gpg

In Git, you may commit using any name and email address. However, Git supports signing commits and tags using a GPG key…

support.gitkraken.com

Git - Signing Your Work

Signing tags and commits is great, but if you decide to use this in your normal workflow, you'll have to make sure that…

git-scm.com

Signing commits with GPG | GitLab

Documentation for GitLab Community Edition, GitLab Enterprise Edition, Omnibus GitLab, and GitLab Runner.

docs.gitlab.com

Git
Gitkraken
Gnupg

--

--

Ayuth Mangmesap
Ayuth’s Story

Written by Ayuth Mangmesap

856 Followers
Editor for

A developer who runs everyday because he eats a lot

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams