Here is a short guide that will help you setup your environment to create signed commits
or signed tags
with Git locally. This has been extensively tested on Windows with Git and the Github Desktop application: I use it every day for my professional development projects.
I you face any issue, feel free to leave a comment below.
-
Generate a GPG key and add it to Github: https://help.github.com/articles/generating-a-new-gpg-key (if you don't want to type a passphrase on every commit, you need to press "Enter" when the console will prompt you to type a passphrase)
-
Open the
.gitconfig
configuration file by typinggit config --global --edit
in a terminal (since this file can exists in different places depending on your operating system, the command line will prompt git binary and open your default editor) -
Configure Git by replacing GITHUB_EMAIL, SIGNING_KEY and GPG_BINARY_PATH with your own data:
[user]
name = Xavier Foucrier
email = GITHUB_EMAIL
signingkey = SIGNING_KEY
[gpg]
program = GPG_BINARY_PATH
[commit]
gpgsign = true
[tag]
gpgsign = true
-
GITHUB_EMAIL: the email address used to login on Github
-
SIGNING_KEY: the GPG key identifier used to sign commits (should follow the GPG key ID convention, like this example: https://help.github.com/articles/telling-git-about-your-signing-key/#telling-git-about-your-gpg-key-1)
-
GPG_BINARY_PATH: the GPG binary file path depending on your Git install and your operating system:
-
Windows:
gpg
,gpg.exe
orC:\\Program Files\\Git\\usr\\bin\\gpg.exe
(can be found usingwhere gpg
in a terminal)Some system may contain multiple gpg binaries, in this case you can execute the following command line with PowerShell to use the more appropriate one:
git config --global gpg.program $(Resolve-Path (Get-Command gpg | Select-Object -Expand Source) | Select-Object -Expand Path)
-
Mac or Linux:
gpg
or/usr/local/bin/gpg
(can be found usingwhich gpg
in a terminal)
-
- Enjoy signed commits with your favorite code editor, Github Desktop application, and even command line using
git commit -S -m "Commit message"
🎉
In order for GPG to automatically store your key passphrase (even empty), so you don't have to enter it every time you sign a commit, Github recommend using the following tools:
This is necessary to let GPG launch the
gpg-agent
as a system daemon when signing commits.
If you want to temporarily pause GPG signatures for your commits or tags, just set gpgsign = false
in your .gitconfig
configuration file with git config --global commit.gpgsign false
(for commits) or git config --global tag.gpgsign false
(for tags).
If the key you have defined in the .gitconfig
configuration file has expired, you can't sign commits anymore. You can easily renew it by following these steps:
-
list the secrets keys with
gpg --list-secret-keys
-
edit the key you want to renew with
gpg --edit-key SIGNING_KEY
(the GPG key used to sign commits, as defined in your.gitconfig
configuration file) -
gpg prompt is ready: you should see
gpg>
-
type
expire
to select a new expiration delay and confirm -
type
trust
to trust the selected key as "ultimate"
(this step is not needed if your current key is already trusted as an "ultimate" key) -
type
quit
and confirm you wish to save changes -
enjoy a fresh renewed GPG key!
Thanks everyone for reading! 👀
This DOES NOT WORK with passphrase from Github Desktop.
is it only supposed to work with empty passphrase? @xavierfoucrier