Skip to content

Instantly share code, notes, and snippets.

@davevelasco

davevelasco/sign-git-commits-with-gpg-keys.md

Last active May 22, 2021 22:09
Show Gist options
  • Save davevelasco/5fef3275037e27067a2d85de45e8d21a to your computer and use it in GitHub Desktop.
Save davevelasco/5fef3275037e27067a2d85de45e8d21a to your computer and use it in GitHub Desktop.
Download ZIP
Setup git commit signing with GPG keys for GitHub
Raw
sign-git-commits-with-gpg-keys.md

Sign git commits with GPG keys for GitHub

Signing git commits will help verify that they come from a trusted source. This prevents a commit author from pretending to be someone else.

Check for existing GPG keys

$ gpg --list-secret-keys --keyid-format LONG
  • If GPG keys do not exist, generate a new GPG key
  • Else, add it to your GitHub account

Generate a new GPG key

  1. Generate GPG key pair.
    • If gpg version is 2.1.17 or greater: 
      gpg --full-generate-key
    • Else: 
      $ gpg --default-new-key-algo rsa4096 --gen-key
    • Choose any kind of key you prefer, leave blank to use the default.
  2. Enter 4096 or greater for desired key size.
  3. Enter how long the key will be valid for. Leave blank for a non-expiring key.
  4. Verify if your choice is correct.
  5. Provide the necessary information for your User ID (UID).
    • Make sure your UID email address is the same one used for your GitHub account.
    • As a best practice, do not include a comment in your UID.
  6. Verify if your UID is correct.
  7. Enter a secure passphrase.
  8. List all your GPG keys and copy the GPG key ID you would like to use. In the example below, the ID is 3AA5C34371567BD2. 
    $ gpg --list-secret-keys --keyid-format LONG
/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid                          Hubot
  9. Generate the GPG public key with: 
    $ gpg --armor --export <Insert GPG key ID>
  10. Copy the resulting GPG public key which starts with -----BEGIN PGP PUBLIC KEY BLOCK----- and ends with -----END PGP PUBLIC KEY BLOCK-----, and add it to your GitHub account.

Adding a GPG public key to GitHub

  1. Go to your profile settings.
  2. Select SSH and GPG keys
  3. In the GPG keys section, click the New GPG button.
  4. Paste your public GPG key and click Add GPG key

Signing commits

  1. Tell Git about your signing key. 
    $ git config --global user.signingKey 3AA5C34371567BD2
  2. To sign commits, use: 
    $ git commit -S -m <commit message>
  3. To automatically sign commits without the -S flag, use: 
    $ git config --global commit.gpgsign true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment