arrow_backBack to Writing
GitWriting
Jul 2, 2018
4 min read

Leaving a mark… Git Commit Signature

Working with open source code is fun. But when sharing your code with others, or using someone else’s code for your next awesome project it…

Working with open source code is fun. But when sharing your code with others, or using someone else’s code for your next awesome project it…

Leaving a mark… Git Commit Signature

Working with open source code is fun. But when sharing your code with others, or using someone else’s code for your next awesome project it becomes essential that we are sure that what we see is exactly what we get. There needs to be a mechanism to guarantee that the code has originated from verified sources. There needs to be a way to safeguard ourselves from incidents like this.

This is where Commit Signing comes in. Signing a commit verifies the identity of a user who has made the commit. This way, we can be sure that the code has been contributed from a trusted source. Let’s see how we can setup commit signing for our own commits.

The first step here is to generate a GPG key. Please follow the instructions below to install GPG on your system. (Note: The following steps need to be repeated for every system that you are using.)

Windows

Download and install GPG.

Ubuntu

sudo apt-get install gpa seahorse

Mac

brew install gpg

Brew is an excellent package manager for MacOS. If you don’t already have it installed, follow instructions here to install it on your system.

Once you have GPG installed on your system, the instructions are OS agnostic. Depending on the your OS, open the command prompt / terminal and follow the following steps:

  • Generate a new GPG key:
gpg --gen-key
  • Answer the questions that are asked:

Note: When asked to enter your email address, ensure that you enter the verified email address for your GitHub account. If you have more than one verified email addresses for your GitHub account, you may enter either of them.

  • List the generated keys:
gpg --list-secret-keys --keyid-format LONG
  • The above command will generate an output similar to this:
/home/username/.gnupg/secring.gpg-------------------------------sec   4096R/<COPY_LONG_KEY> 2016-08-11 [expires: 2018-08-11]uid                          User Name <[email protected]>ssb   4096R/62E5B29EEA7145E 2016-08-11
  • Note down the COPY_LONG_KEY from above.
  • The next step is to inform GitHub about this key that you are planning to use to sign your commits so that once you push the commits, GitHub can verify the commits as truly made by you. Also, we need to configure git on your system to sign commits.
  • Export the above generated key as a text file:
gpg --armor --export <PASTE_LONG_KEY_HERE> > gpg-key.txt
  • Login to GitHub and go to profile settings. Here, click on new GPG key and paste the contents of the text file generated in the above step in the text-box and click on Add GPG key. You should see your key added in your GitHub account.
  • Next, run the following command in your command prompt/terminal
gpg --list-keys
  • You should see an output like following:
/home/username/.gnupg/pubring.gpg-------------------------------pub   4096R/<COPY_SHORT_KEY> 2016-08-11 [expires: 2018-08-11]uid                  Your Name <[email protected]>sub   4096R/EB61969F 2016-08-11 [expires: 2017-08-11]
  • Copy the COPY_SHORT_KEY from above. Then, run the following commands to make git sign every commit you make moving forward
git config --global user.signingKey <PASTE_SHORT_KEY_HERE>
git config --global commit.gpgsign true
  • That’s it! You’re done. Now whenever you commit your code, you will be prompted for the key password (the one that you created above) and your commit will be signed. Once you enter your password, it is cached in the memory for a few hours. Afterwards, you will be prompted for the password again.

By Ajitem Sahasrabuddhe on July 2, 2018.