How to sign Git commits

signing-git-commits.md

How to sign Git commits

1. Install GPG4Win and Git for Windows.

2. Set up Git to use GPG4Win.

   git config --global gpg.program "<path to gpg.exe>"

3. Generate key.

   gpg --full-generate-key
   

   Prompt: Please select what kind of key you want:

   Response: 1 (RSA and RSA)

   Prompt: What keysize do you want?

   Response: 4096

   Prompt: Please specify how long the key should be valid.

   Response: 0 (key does not expire)

   Prompt: Real name:

   Response: <whatever>

   Prompt: Email address:

   Response: <your github.com email address> (EXTREMELY IMPORTANT; KEY WILL NOT WORK UNLESS VERIFIED EMAIL ADDRESS FOR YOUR GITHUB ACCOUNT IS PROVIDED HERE)

   Prompt: Comment:

   Response: <whatever>

   GPG will prompt for a password; you can enter a password or leave it blank if you're not going to share the key.

4. Find the key name.

   gpg --list-secret-keys --keyid-format LONG
   

   Output will be displayed like this:

   sec		rsa4096/A4G5F0CC4D23BO0A 2020-12-24 [SC]
   		5609CB236509CA012809C1E8A3A3E6FA6C08AC6E
   uid					[ultimate] email@server.org
   ssb		rsa4096/12E3241AC1A009A2 2020-12-24 [E]
   

   The part that comes after the / in the first line before the date is your GPG signing key. In this example, it would be A4G5F0CC4D23BO0A.

5. Export they key for use with GitHub.

   gpg --armor --export A4G5F0CC4D23BO0A
   

6. Go to https://github.com/settings/keys and add the key to GitHub.

7. Tell Git to use your key to sign commits.

   git config --global user.signingkey A4G5F0CC4D23BO0A
   git config --global commit.gpgsign true