Skip to content

Instantly share code, notes, and snippets.

@KamilPacanek

KamilPacanek/git-signing-setup.md

Last active June 19, 2021 09:08
Show Gist options
  • Save KamilPacanek/390e46e182eb008c0051828e562e8d2a to your computer and use it in GitHub Desktop.
Save KamilPacanek/390e46e182eb008c0051828e562e8d2a to your computer and use it in GitHub Desktop.
Download ZIP
Setup Git signing
Raw
git-signing-setup.md

Verify downloaded GPG installation package

  1. Download GPG (GPG Binary releases) and *.sig file.

    • Windows: GnuPG simple installer (CLI tools)

  2. Import GnuPG public keys with verified gpg binary.

    • Use gpg that comes with Git installation from Git Bash 
      where gpg
gpg --version
    • Go to GnuPG public keys reference page and keep it open.
    • Copy public key block and save it under *.asc file
    • Import GnuPG public keys 
      gpg --import gnugp.asc
    • Verify that keys are imported. Notice they are initially untrusted. 
      gpg --list-keys --keyid-format LONG
    • Note the key-id that identifies key on the current environment

    pub rsa2048/249B39D24F25E3B6 2011-01-12 [SC] [expires: 2021-12-31]

    • Verify that imported keys matches keys on the GnuPG public keys reference page. Trust each key by using following command. Use ultimate trust. 
      gpg --edit-key {key-id} trust
    • Verify that GnuPG keys are trusted (expired ones won't show the ultimate trust flag) 
      $ gpg --list-keys --keyid-format LONG

pub   rsa2048/249B39D24F25E3B6 2011-01-12 [SC] [expires: 2021-12-31]
    D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
uid                 [ultimate] Werner Koch (dist sig)

pub   rsa2048/2071B08A33BD3F06 2014-10-29 [SC] [expired: 2020-10-30]
    031EC2536E580D8EA286A9F22071B08A33BD3F06
uid                 [ expired] NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>

pub   rsa3072/BCEF7E294B092E28 2017-03-17 [SC] [expires: 2027-03-15]
    5B80C5754298F0CB55D8ED6ABCEF7E294B092E28
uid                 [ultimate] Andre Heinecke (Release Signing Key)

pub   ed25519/528897B826403ADA 2020-08-24 [SC] [expires: 2030-06-30]
    6DAA6E64A76D2840571B4902528897B826403ADA
uid                 [ultimate] Werner Koch (dist signing 2020)

  3. Verify installation package. Read Integrity check by GnuPG team. If previous steps was done correctly, similar message should be displayed, otherwise refer to the aforementioned Integrity check.

    gpg: Signature made 07-04-2021 20:06:23 Central European Daylight Time
gpg:                using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: Good signature from "Werner Koch (dist signing 2020)" [ultimate]

  4. Install gpg.

Post-install steps

  1. Open Windows command prompt and configure new installation.
  • Verify version and location of gpg 
    where gpg
gpg --version
  1. If gpg report with language different that English set environment variable LANG=C. Restart command prompt.
  2. Import GnuPG keys as described before. Ensure they are trusted.

Create GPG signing key

Create GPG key for Git signing. When key is purposed to be used on a Github follow latest instructions.

gpg --full-generate-key

Update Git Bash to use new gpg installation

  1. Validate - if Git Bash is still using its own keyring, new key should be visible only on command prompt. Run listing command in both command prompt and bash shell. 
    gpg --list-keys
  2. Append path to the gpg in the {SYSTEMDRIVE}/Users/{PROFILE}/.bash_profile (create file if needed) 
    alias gpg="'C:\Program Files (x86)\gnupg\bin\gpg.exe'"
  3. Restart Git Bash to apply changes.

Configure Git

  1. Add following config changes globaly. Setting commit.gpgsign to true enables signing each commit by default. Without this each commit would have to be implicitly marked to be signed with -S flag (ex. commit -S -m "Add new file") 
    git config --global gpg.program {PATH_TO_GPG}
git config --global user.signingkey {KEY_ID} 
git config --global commit.gpgsign true
  2. Depending on the preferences, default behaviour for annotated tags can be changed by modyfing following config. 
    git config --global tag.forceSignAnnotated true

Test Git commit signing

  1. Create temporary repository. 
    mkdir test-repo
cd test-repo
git init
  2. Add empty commit and verify that you are prompted for the GPG key passphrase. 
    git commit --allow-empty -m "Signed commit"
  3. Sign can be verified using following methods. 
    $ git verify-commit 64796ee

gpg: Signature made 14-04-2021 10:00:09 Central European Daylight Time
gpg:                using RSA key 551760C1C76669F30FEFCDAF59DCC37EB7307329
gpg: Good signature from "Kamil Gierach-Pacanek (Git signing key) <****@******.com>" [ultimate]
    $ git show --show-signature 64796ee

commit 64796eeea6be5742828f5269a35585c98f02d3c2 (HEAD -> master)
gpg: Signature made 14-04-2021 10:00:09 Central European Daylight Time
gpg:                using RSA key 551760C1C76669F30FEFCDAF59DCC37EB7307329
gpg: Good signature from "Kamil Gierach-Pacanek (Git signing key) <****@******.com>" [ultimate]
Author: Kamil Gierach-Pacanek <****@******.com>
Date:   Wed Apr 14 09:59:52 2021 +0200

    Signed commit

Useful notes

Resetting gpg-agent

In case following error occurs during the commit phase:

gpg: can't connect to the agent: IPC connect call failed
gpg: keydb_search failed: No agent running
gpg: skipped "34A91BE1A93DDAF6": No agent running
gpg: signing failed: No agent running
error: gpg failed to sign the data
fatal: failed to write commit object

Run following command to reload the agents.

gpgconf --kill gpg-agent gpg-connect-agent reloadagent /bye
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment