Skip to content

Instantly share code, notes, and snippets.

@ChristopherA

ChristopherA/git-gpg-signing-tips.md

Created September 20, 2020 22:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ChristopherA/dc41f9bf16e2b14c849a76f78aeee4ca to your computer and use it in GitHub Desktop.
Save ChristopherA/dc41f9bf16e2b14c849a76f78aeee4ca to your computer and use it in GitHub Desktop.
Download ZIP
Git GPG Signing Tips #gpg #sign #github #githubdesktop
Raw
git-gpg-signing-tips.md

Git GPG Signing Tips #gpg #sign #github #githubdesktop

GitHub Signing with Git & GitHub Desktop

(portions from https://gist.github.com/xavierfoucrier/c156027fcc6ae23bcee1204199f177da https://gist.github.com/Shinrai/63eb85c7e89715a5d2dc9bee0301a8ac )

You can now signed your commits on Github using at least Git 2.18.0 and Github Desktop 1.6.1.

  1. Generate a GPG key and add it to Github: https://help.github.com/articles/generating-a-new-gpg-key (if you don't want to type a passphrase on every commit, you need to press "Enter" when the console will prompt you to type a passphrase)

  2. Configure Git properly by editing the .gitconfig file using the command line git config --global --edit in a terminal, then replace YOUR_GITHUB_EMAIL, YOUR_SIGNING_KEY and GPG_BINARY_PATH with your data

[user]
  name = Xavier Foucrier
  email = YOUR_GITHUB_EMAIL
  signingkey = YOUR_SIGNING_KEY
[gpg]
  program = GPG_BINARY_PATH
[commit]
  gpgsign = true
  • YOUR_GITHUB_EMAIL: the email address used to login on Github
  • YOUR_SIGNING_KEY: the GPG key used to sign commits, should follow the GPG key ID convention, like this example: https://help.github.com/articles/telling-git-about-your-signing-key/#telling-git-about-your-gpg-key-1
  • GPG_BINARY_PATH: the GPG binary file path, depending on your Git install and your operating system:
    • Windows: gpg.exe or C:\Program Files\Git\usr\bin\gpg.exe (can be found using gcm gpg in a terminal)
    • Mac or Linux: gpg or /usr/local/bin/gpg (can be found using which gpg in a terminal)

Note that you can temporary disable GPG signed commits by setting gpgsign = false in your .gitconfig file with git config --global commit.gpgsign false

What to do if a commit is marked as unverified

If a commit to a PR is marked with unverified badge in a PR, first check the following:

  • Your GPG key must have an email address in it that is the same email address as you use to login to GitHub.
  • That GPG key must be uploaded to GitHub.
  • Your commit must be signed with git commit -S -m "message"

Sign your last commit if it wasn't signed

git rebase -i -s

Sign commits of others

git checkout -b patch-1 master
git checkout master
git rebase --exec 'git commit --amend --no-edit -n -S' -i patch-1
git push origin master

Other approaches at https://superuser.com/questions/397149/can-you-gpg-sign-old-commits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment