Skip to content

Instantly share code, notes, and snippets.

@vzool
Forked from chq-matteo/signed-commits.md
Created February 13, 2023 18:31
Show Gist options
  • Save vzool/462cb3caedf1e51800593fc52bbf06ca to your computer and use it in GitHub Desktop.
Save vzool/462cb3caedf1e51800593fc52bbf06ca to your computer and use it in GitHub Desktop.
Signed commits with GPG

1. Generate a gpg key

With GnuPG 2.1.15

If you want to create an RSA or DSA key in a straight forward way use:

gpg --full-gen-key

If you want to use an ECC algorithm, you need to add the --expert flag

gpg --expert --full-gen-key

It will ask you for a couple of details about the algorithms you want to use

Please select what kind of key you want:
   (1) RSA and RSA (default)
   [...]
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
         [...]
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

And then for a name and email If you need this key for GitHub, make sure to use the same email you use for GitHub

Real name: Mario Rossi
Email address: [email protected]
Comment: Signing key for git

Find the ID of your newly generated key with gpg --list-secret-keys --keyid-format LONG

------------------------------
sec   rsa2048/[HEX STRING KEY ID] YYYY-MM-DD [SC]
uid                 [ultimate] Mario Rossi (Signing key for git) <[email protected]>

2. Configure git to use this signing key

git config user.signingkey [HEX STRING KEY ID]

3. Configure git to automatically sign each commit

git config commit.gpgsign true

You may want to make these settings global rather than local to a repository with --global

git config user.signingkey [HEX STRING KEY ID]
git config commit.gpgsign true

Further reading

  1. GitHub Generating a new GPG key

  2. GitHub Adding a new GPG key to your account

  3. GitHub Telling git about your GPG key

  4. GitHub Signing commits using GPG

  5. StackOverflow Autosign Commits

  6. StackOverflow Which ECC to choose with GPG

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment