I recommend signing all your Git commits. It ensures that your commits are actually from you and haven’t been tampered with. I usually do this to build trust and accountability in my projects, as it shows that I’m the one making the changes. Plus, it helps protect against any unauthorized changes slipping in. It’s also great for meeting security standards and makes the whole development process more reliable. Trust me, it’s a good habit to get into!
Here are the steps needed for creating a GPG key and using it for signing all your git commits.
Step 1: Install GPG
First, you need to have GPG installed on your system. Most modern operating systems have it available.
For Linux:
sudo apt-get install gnupg
For macOS:
brew install gnupg
Step 2: Generate a GPG Key
To generate a new GPG key pair, open your terminal and run:
gpg --full-generate-key
You’ll be prompted with several options:
- Key Type: Choose RSA and RSA (default).
- Key Size: Choose 4096 bits for stronger security.
- Key Expiration: Choose an appropriate expiration period (e.g., 1 year). You can also choose 0 for no expiration.
- User ID Information: Enter your real name, email address, and an optional comment. This information will be associated with your GPG key.
- Passphrase: Enter a strong passphrase to protect your private key. If the key is for signing commits then I usually skip passphrase.
Once you have entered all the necessary information, GPG will generate your key pair. This process might take a few minutes.
Step 3: List Your GPG Keys
To list your GPG keys and get the key ID, run:
gpg --list-secret-keys --keyid-format LONG
You’ll see an output similar to this:
home/user/.gnupg/secring.gpg ------------------------------ sec 4096R/ABCDEFGHI1234567 2023-05-19 [expires: 2024-05-19] uid Your Name <youremail@example.com> ssb 4096R/1234567ABCDEFGH 2023-05-19
The key ID is the part after the 4096R/ on the sec line (e.g., ABCDEFGHI1234567).
Step 4: Configure Git to Use Your GPG Key
Now, configure Git to use your GPG key for signing commits. Replace ABCDEFGHI1234567 with your actual GPG key ID:
git config --global user.signingkey ABCDEFGHI1234567
Step 5: Export Your GPG Public Key
To allow others to verify your signed commits, you need to share your GPG public key. Export it using:
gpg --armor --export your-email@example.com
Copy the output and share it via email or a key server.
Step 6: Sign Your Commits
To sign your commits, use the -S flag with git commit:
git commit -S -m "Your commit message"
To sign all your commits by default, you can set the following Git configuration:
git config --global commit.gpgSign true
Step 7: Verify Signed Commits
To verify the signatures of your commits, use:
git log --show-signature
Additional Tips:
- Publishing Your Public Key: Consider uploading your GPG public key to a key server such as
keys.gnupg.netto make it easier for others to find and verify your key. You can upload your GPG key to your github-account as well. - GPG Agent: Use
gpg-agentfor managing your GPG keys, especially if you’re frequently signing commits. It helps in caching your passphrase.
This guide should help you generate GPG keys and use them to sign your Git commits. If you encounter any issues or need more advanced configurations, refer to the GPG documentation and the Git documentation.