Skip to content

Instantly share code, notes, and snippets.

@cwilper

cwilper/how-to-sign-all-commits.md

Last active October 14, 2022 19:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save cwilper/55407d8d053f0178fdd8a4f24d648bb5 to your computer and use it in GitHub Desktop.
Save cwilper/55407d8d053f0178fdd8a4f24d648bb5 to your computer and use it in GitHub Desktop.
Download ZIP
How to sign all git commits
Raw
how-to-sign-all-commits.md

Want to sign all your git commits by default?

There are many possible ways to do this. This is what worked for me in October 2022, on a recent (M1) mac with zsh, homebrew, and a recent version of git.

The first section below is required to get the basics working. All others are optional.

Install gpg, generate a key, and configure it for signing

brew install gnupg
gpg --generate-key # when prompted, enter the same email address you us for commits
keyid=$(gpg --list-secret-keys --with-colons | awk -F: '$1 == "sec" {print $5}')
git config --global user.signingkey $keyid
echo 'export GPG_TTY=$TTY' >> ~/.zshrc
exec zsh
git config --global commit.gpgsign true

Store the passphrase in your macos keychain

brew install pinentry-mac
echo "pinentry-program $(which pinentry-mac)" > ~/.gnupg/gpg-agent.conf
pkill -SIGHUP gpg-agent
echo "test" | gpg --clearsign

This will pop up a window where you should enter your passphrase, making sure to select the option to store it in the keychain.

Add it to your github account

This makes it so your commits appear verified in github.

pbcopy < <(gpg --armor --export $keyid)

Then go to github.com/settings/keys, add a GPG key, and paste it.

See any commit's signature

git show [ref] --show-signature

Add an alias showing a tree of commits including whether each commit is signed

  • Edit your .gitconfig file
  • Add an [alias] section if not already present
  • Under that section, add the following:
    la = log --color --graph --pretty=format:'%C(red bold)%h%Creset%C(yellow bold)%d%Creset %C(green bold)(%cr)%Creset %C(white)%s%Creset %C(magenta bold)<%
an> %Creset%C(magenta dim)(%ar, sig=%G?)%Creset' --abbrev-commit --author-date-order

Use this alias via:

git la [ref]

Notice how the end of each line has sig=code, where code is as documented here:

"G" for a good (valid) signature, "B" for a bad signature, "U" for a good signature with unknown validity, "X" for a good signature that has expired, "Y" for a good signature made by an expired key, "R" for a good signature made by a revoked key, "E" if the signature cannot be checked (e.g. missing key) and "N" for no signature

Import github's key

If you use github, some commits to your repo that are done interactively on the web may be signed by them. They will show up as "E" (signature can't be checked) because you don't have github's public key imported yet. You can remedy that with:

curl https://github.com/web-flow.gpg | gpg --import

...which should cause such commits to show up as "U" because the validity is unknown. If you want to validate it, you can sign the key via:

pubkeyid=$(gpg --list-keys | grep -B 1 web-flow | head -1 | awk '{print $1}')
gpg --lsign-key $pubkeyid

Now the commits will show up as "G" because the signature is considered valid.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment