If anyone is interested in setting up their system to automatically (or manually) sign their git commits with their GPG key, here are the steps:
- Generate and add your key to GitHub
$ git config --global commit.gpgsign true
([OPTIONAL] every commit will now be signed)$ git config --global user.signingkey ABCDEF01
(whereABCDEF01
is the fingerprint of the key to use)$ git config --global alias.logs "log --show-signature"
(now available as$ git logs
)$ git config --global alias.cis "commit -S"
(optional if global signing is false)$ echo "Some content" >> example.txt
$ git add example.txt
$ git cis -m "This commit is signed by a GPG key."
(regularcommit
will work if global signing is enabled)$ git logs
If you perform git commits through IntelliJ and want them to be signed, add the following line to your ~/.gnupg/gpg.conf
file:
# This option tells gpg not to expect a TTY interface and allows IntelliJ to sign commits
no-tty
If you perform git commits through SourceTree and want them to be signed, open Preferences > General
and ensure that the GPG Program
field has the value set to the directory containing the gpg2
executable, for example /usr/local/MacGPG2/bin
. Even if your gpg
executable is version 2, the gpg2
executable must be present.
Then click the Settings
icon at the top right of a repository window, click the Security
icon, and check "Enable GPG key signing for commits" and select the desired key. If you have a default-key
setting in ~/.gnupg/gpg.conf
, this should be correctly populated already.
- https://youtrack.jetbrains.com/issue/IDEA-110261#comment=27-1388832
- https://github.com/blog/2144-gpg-signature-verification
- https://help.github.com/articles/signing-commits-using-gpg/
- https://unix.stackexchange.com/questions/48862/how-can-i-create-an-alias-for-a-git-action-command-which-includes-spaces
- https://mikegerwitz.com/papers/git-horror-story
- https://blog.erincall.com/p/signing-your-git-commits-with-gpg
Wondering if you have an example of commit via API to avoid the
"verification": {
"verified": false,
"reason": "unsigned",
"signature": null,
"payload": null
}
}
example via curl (-S does not seems to work)
git config --global commit.gpgsign true
git config --global user.signingkey ABCDEF01
curl --silent -u (user):(secret) -S -X PUT "https://api.github.com/repos//GPG_commit_test/contents/P3.txt" -d '{ "branch":"master","message":"1234 -Test","author": {"name": "(github id)","email": "email@whatever.com"},"content":"VGVzdCBUZXN0" }'