Signing commits using GPG in Git

Git is cryptographically secure, but it’s not foolproof. If you’re taking work from others on the internet and want to verify that commits are actually from a trusted source, Git has a few ways to sign and verify work using GPG.

Introduction to GPG

First of all, if you want to sign anything you need to get GPG configured and your personal key installed.

hzxie@XieHaozhe-PC:~$ gpg --list-keys
/home/hzxie/.gnupg/pubring.gpg
------------------------------
pub   1024D/381BA480 2007-02-15
uid                  Johannes Ranke (CRAN Debian archive) <jranke@uni-bremen.de>

pub   4096R/3DBF9592 2016-03-28
uid                  Haozhe Xie (GPG key for GitHub) <zjhzxhz@gmail.com>
sub   4096R/BFEB9969 2016-03-28

If you don’t have a key installed, you can generate one with gpg --gen-key.

gpg --gen-key

Once you have a private key to sign with, you can configure Git to use it for signing things by setting the user.signingkey config setting.

# Remember to replace the key here
git config --global user.signingkey 3DBF9592
git config --global commit.gpgsign true

Now Git will use your key by default to sign tags and commits if you want.

Add GPG Keys to GitHub

From the list of GPG keys, copy the GPG key ID you'd like to use. In this example, the GPG key ID is 3DBF9592. Then run following commands:

gpg --armor --export 3DBF9592

Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

Paste the GPG key to GitHub Settings as the figure goes below.

GitHub-GPG-Settings

Reference

  • https://virusdefender.net/index.php/archives/734/
  • https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
  • https://help.github.com/articles/generating-a-gpg-key/
Contact Us
  • Room 614, Zonghe Building, Harbin Institute of Technology
  • cshzxie [at] gmail.com