Skip to content

Instantly share code, notes, and snippets.

@apinter

apinter/gpg_sign.md

Created June 27, 2024 08:50
Show Gist options
  • Save apinter/2dc2e5c3fe9993bd8686c61cd63d38f6 to your computer and use it in GitHub Desktop.
Save apinter/2dc2e5c3fe9993bd8686c61cd63d38f6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gpg_sign.md

Commit signing with GPG keys

Having access to a code base to which you can make changes to poses some risks besides the obvious benefits. Commit signing is a great way to make sure of the individual's identity who is making these changes, and not just someone who gained access to the contributors' git account.

Requirements

The following packages are required:

  • git
  • gpg (if you're using Linux this is likely to be installed already)

Depending on the distribution of your choice you can install these with the distro's package manager.

Linux

openSUSE

$ sudo zypper ref
$ sudo zypper in gpg2 git

Fedora, CentOS, RHEL

$ sudo dnf makecache
$ sudo dnf install gpg2 git

Ubuntu

$ sudo apt update
$ sudo apt install gpg git

Arch

$ sudo pacman -Syy
$ sudo pacman -S gnupg git

Windows

  1. Download and install the latest version of Git for Windows,
  2. Download and install the latest version of GPG4Win,
  3. Start GitBash, and run the where gpg command to locate the gpg4win installed gpg binary. Save the output.
## Default path:
C:\Program FIles (x86)\GnuPG\bin\gpg.exe
  1. Configure git to use the correct gpg.
git config --global gpg.program <path/to/gpg/from/previous/command/gpg.exe>

macOS

  1. Download and install Homebrew
  2. Install gnupg and pinentry with Homebrew:
$ brew install gnupg pinentry-mac
  1. Verify that pinentry is showing a GUI prompt by issuing the echo GETPIN | pinentry command.

Set up GPG keys

!!! note The best way of generating secure GPG keys is to download, flash Tails on a usb drive, and boot into that without having an active network connection. It has everything preinstalled that you will need in the following steps. Even better if you can store your private key parts on a Yubikey.

The following steps should be identical on every platform.

  1. Generate a key: gpg --full-generate-key
  2. The above will ask a few questions, answer them in this order:
    • Q:Please select what kind of key you want: A:RSA
    • Q:What key size do you want? A:4096
    • Q:Key is valid for? A:1y (It is strongly recommended to rotate keys at least yearly.)
    • Enter a strong, - ideally - generated password when prompted.
  3. Verify that the GPG key has been created with gpg --list-keys and save the fingerprint
## Example output:
pub   rsa4096 2022-02-01 [SC]
    D04B6897DFED6E72CFF46FBA04F07005759BB4CE
uid           [ultimate] Attila Pinter (Adathor DevOps) <adathor@adathor.com>
sub   rsa4096 2022-02-01 [E]
  1. Using the fingerprint of the key you can export the public key:
$ gpg --output /path/to/file/to/save  --armor --export D04B6897DFED6E72CFF46FBA04F07005759BB4CE
  1. Export the private key, keep this safe, don't share this.
$ gpg --output /path/to/file/to/save --armor --export-secret-keys D04B6897DFED6E72CFF46FBA04F07005759BB4CE

!!! Note When moving to a new system you can restore your keys with gpg --import /path/to/key

Enable commit signing

The following steps will enable git to use the GPG private key to sign every commit you make. This commit will be verified by the Git platform using your public key. Note that if you're not saving the password on a key ring it will prompt for a password every time you make a commit which can be tedious so make sure that you have a key ring configured on your system to store the gpg password in to avoid this.

  1. Verify your username and e-mail address used to make commits. The e-mail address used must match the e-mail address used for the GPG key!
$ git config user.name
$ git config user.email

## To set username and e-mail
$ git config --global user.name "YOUR_NAME"
$ git config --global user.email "YOUR_EMAIL"
  1. Add your public key to you GitLab account
  • Copy the key beginning with -----BEGIN PGP PUBLIC KEY BLOCK-----, and ending with -----END PGP PUBLIC KEY BLOCK-----
  • Go to your Account Preferences GPG Keys setting and paste the public key
  1. On the command line/GitBash list your signatures with gpg --list-signatures, and save the 16 digit signature (the line that starts with sig 3)
pub   rsa4096 2022-07-11 [SC] [expires: 2023-07-11]
    708DFD7D605C9514D5E82672E60A31B88F0504E4
uid           [ultimate] Attila Pinter (Adathor signing key) <adathor@adathor.com>
sig 3        E60A31B88F0504E4 2022-07-11  Attila Pinter (Adathor signing key) <adathor@adathor.com>
sub   rsa4096 2022-07-11 [E] [expires: 2023-07-11]
sig          E60A31B88F0504E4 2022-07-11  Attila Pinter (adathor signing key) <attila.pinter@adathor.com>

In this example the signature is: E60A31B88F0504E4

  1. On the command line/GitBash enable git commit signing
$ git config --global user.signingkey [YOUR_GPG_SIGNATURE_HERE]
$ git config --global commit.gpgsign true

Commit singing in IDEs

To enable commit signing for IDEs check out the following documentations:

If the above steps were applied correctly you will see a green, Verified badge next to every commit you make.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment