Having access to a code base to which you can make changes to poses some risks besides the obvious benefits. Commit signing is a great way to make sure of the individual's identity who is making these changes, and not just someone who gained access to the contributors' git account.
The following packages are required:
git
gpg
(if you're using Linux this is likely to be installed already)
Depending on the distribution of your choice you can install these with the distro's package manager.
$ sudo zypper ref
$ sudo zypper in gpg2 git
$ sudo dnf makecache
$ sudo dnf install gpg2 git
$ sudo apt update
$ sudo apt install gpg git
$ sudo pacman -Syy
$ sudo pacman -S gnupg git
- Download and install the latest version of Git for Windows,
- Download and install the latest version of GPG4Win,
- Start GitBash, and run the
where gpg
command to locate the gpg4win installed gpg binary. Save the output.
## Default path:
C:\Program FIles (x86)\GnuPG\bin\gpg.exe
- Configure git to use the correct gpg.
git config --global gpg.program <path/to/gpg/from/previous/command/gpg.exe>
- Download and install Homebrew
- Install
gnupg
andpinentry
with Homebrew:
$ brew install gnupg pinentry-mac
- Verify that pinentry is showing a GUI prompt by issuing the
echo GETPIN | pinentry
command.
!!! note The best way of generating secure GPG keys is to download, flash Tails on a usb drive, and boot into that without having an active network connection. It has everything preinstalled that you will need in the following steps. Even better if you can store your private key parts on a Yubikey.
The following steps should be identical on every platform.
- Generate a key:
gpg --full-generate-key
- The above will ask a few questions, answer them in this order:
- Q:Please select what kind of key you want: A:RSA
- Q:What key size do you want? A:4096
- Q:Key is valid for? A:1y (It is strongly recommended to rotate keys at least yearly.)
- Enter a strong, - ideally - generated password when prompted.
- Verify that the GPG key has been created with
gpg --list-keys
and save the fingerprint
## Example output:
pub rsa4096 2022-02-01 [SC]
D04B6897DFED6E72CFF46FBA04F07005759BB4CE
uid [ultimate] Attila Pinter (Adathor DevOps) <[email protected]>
sub rsa4096 2022-02-01 [E]
- Using the fingerprint of the key you can export the public key:
$ gpg --output /path/to/file/to/save --armor --export D04B6897DFED6E72CFF46FBA04F07005759BB4CE
- Export the private key, keep this safe, don't share this.
$ gpg --output /path/to/file/to/save --armor --export-secret-keys D04B6897DFED6E72CFF46FBA04F07005759BB4CE
!!! Note
When moving to a new system you can restore your keys with gpg --import /path/to/key
The following steps will enable git
to use the GPG private key to sign every commit you make. This commit will be verified by the Git platform using your public key. Note that if you're not saving the password on a key ring it will prompt for a password every time you make a commit which can be tedious so make sure that you have a key ring configured on your system to store the gpg password in to avoid this.
- Verify your username and e-mail address used to make commits. The e-mail address used must match the e-mail address used for the GPG key!
$ git config user.name
$ git config user.email
## To set username and e-mail
$ git config --global user.name "YOUR_NAME"
$ git config --global user.email "YOUR_EMAIL"
- Add your public key to you GitLab account
- Copy the key beginning with
-----BEGIN PGP PUBLIC KEY BLOCK-----
, and ending with-----END PGP PUBLIC KEY BLOCK-----
- Go to your Account Preferences GPG Keys setting and paste the public key
- On the command line/GitBash list your signatures with
gpg --list-signatures
, and save the 16 digit signature (the line that starts withsig 3
)
pub rsa4096 2022-07-11 [SC] [expires: 2023-07-11]
708DFD7D605C9514D5E82672E60A31B88F0504E4
uid [ultimate] Attila Pinter (Adathor signing key) <[email protected]>
sig 3 E60A31B88F0504E4 2022-07-11 Attila Pinter (Adathor signing key) <[email protected]>
sub rsa4096 2022-07-11 [E] [expires: 2023-07-11]
sig E60A31B88F0504E4 2022-07-11 Attila Pinter (adathor signing key) <[email protected]>
In this example the signature is: E60A31B88F0504E4
- On the command line/GitBash enable git commit signing
$ git config --global user.signingkey [YOUR_GPG_SIGNATURE_HERE]
$ git config --global commit.gpgsign true
To enable commit signing for IDEs check out the following documentations:
If the above steps were applied correctly you will see a green, Verified badge next to every commit you make.