There is a feature in git which allows signing commits by GPG key. However, not all developers heard about it. In this post, we will see how to enable it.
Why do you need it?
The only purpose of signing your commit is for others to be sure that this commit was really made by you and not by someone pretending to be you (anyone can set a completely random name and email by git config user.name 'Linus Torvalds' and git config user.email '[email protected]').
Also, signed commits are marked as verified by git hosting providers such as GitHub or GitLab.
Create GPG key
The first thing you need to do is to create a GPG key if you don’t already have it. Check the version of GPG installed by executing
gpg --version
gpg (GnuPG) 2.3.7
If you have GPG version higher than 2.1.17, then generate the key by executing
gpg --full-generate-key
Otherwise, use the following command
gpg --default-new-key-algo rsa4096 --gen-key
It will prompt you to enter your name, email, key expiration date, and passphrase. I strongly recommend having a passphrase to protect your identity even if the key will be leaked.
Configure git to sign each commit
After you generated a key, it’s time to tell git about it. You need a key ID for that. Execute the following to find it.
gpg --list-secret-keys --keyid-format=long
/Users/ruslan/.gnupg/secring.gpg
------------------------------------
sec 4096R/399E18176B5EF6D2 2022-01-10 [expires: 2026-01-10]
uid Ruslan Lesko <[email protected]>
ssb 4096R/AF97D7A7275DE23 2022-01-10
In the example above, the key ID is 399E18176B5EF6D2. Copy that and paste it into our next command:
git config --global user.signingkey 399E18176B5EF6D2
As you can see, I am using a --global parameter to apply this config to all my repositories. Alternatively, you can set different keys for different repositories (in case you have different email accounts, for example).
Now we can set a parameter to sign all commits by default.
git config --global commit.gpgsign true
As with the previous command, you can omit --global param to apply this config only for a specific repository.
If you don’t want to sign each commit by default, then for signing commits you should use -S parameter. For example.
git commit -S -m 'This commit is signed'
For some systems, you may encounter an issue with the passphrase prompt not getting opened. For example, on mac. In this case, go to your .bashrc (or .zshrc if you are on a mac) to add this line and restart your terminal:
export GPG_TTY=$(tty)
Add GPG public key to git hosting provider
If you want GitHub, GitLab, or any other git provider to label signed commits as verified, you need to associate the public GPG key with your account. For that, we will need a public portion of the previously generated key. To export it, you will need a key ID, which we saw previously.
gpg --armor --export 399E18176B5EF6D2
Then, copy the output and paste it into the GPG section in the setting menu of your git provider.
Congrats, you have completed your git GPG setup!