Signing your github commits with GPG keys
If you ever wondered how to sign your commits (to assure others that it was you who really did the commit) or just wanted a nice
Verified label right after your commit message on github page - you opened the right article to follow.
First you need to install GPG command line tools allowing you to create a personal key which will be using to sign your commits. We need to install
$ mkdir /tmp/gpg
Optionally, after downloading an archive you might check the file not to be broken and downloaded correctly. Just invoke
sha1sum executable on a file and check the output with the one provided on the site (at the bottom of the page).
$ sha1sum libgpg-error-1.31.tar.bz2
If checksum is the same unpack the archive and build libraries from source code, otherwise try to download it again or by using
curl or your browser.
$ tar -xvf libgpg-error-1.31.tar.bz2
You won’t see any success message so just check the output to contain
Libraries have been installed in without any critical warnings. Just follow the procedure with every item in the list below
Check that we have our new fresh version installed
$ gpg --version
Pinentry is a collection of passphrase entry dialogs which is required for almost all usages of GnuPG and therefore is required to be install. The good news is that the installation process is completely the same. Also you need to choose any GUI backend (gtk/gnome/qt etc) and make sure at least one is installed (you can always
sudo apt-get install gtk2.0 if in doubt)
$ wget https://www.gnupg.org/ftp/gcrypt/pinentry/pinentry-1.1.0.tar.bz2
$ gpg --full-generate-key
Press Enter to choose all the default values
RSA and RSA but only change
keysize from 2048 to 4096.
Your key has been generated and you can list of all the keys available on your system with
$ gpg --list-secret-keys --keyid-format LONG
Now we are ready to add that key to our Github account. Just follow the instructions here and insert an output from the command below
$ gpg --armor --export <your-key-id>
where your-key-id is the second part of the listing keys output
rsa4096/<your-key-id> after the slash.
Now you are ready to configure git signing commits for a given repository or globally
$ git config commit.gpgsign true # current repository
And when creating your next commit do not forget to provide
$ git commit -S -m "My first signed commit"
NOTE: you might omit
-S flag if
commit.gpgsign git config is set to
Watch a nice label on your commits history on Github. Happy coding!