Emon

Signing Commits in Git

This is a step by step tutorial on how signing commits in git. 

 

Step 1: Key Management

to check all the installed keys

List the installed keys
				
					$gpg --list-keys

you will get an output such as this

				
					pub   rsa3072 2024-09-06 [SC]
      B8123D271E29EF454E54CE73904E69AEDC24624E
uid           [ultimate] Habibur Rahman <accounts@emon.no>
sub   rsa3072 2024-09-06 [E]

#the <key-id> in this case is B8123D271E29EF454E54CE73904E69AEDC24624E

Delete existing key and secret key (optional)
				
					$gpg --delete-secret-key <key-id>
$gpg --delete-key <key-id>

Step 2: Create a new key

Generate a new key

Generate a new key

				
					$gpg --full-generate-key
Choose the key type

You will be prompted to select the kind of key you want. Choose the kind of key.

				
					Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Note: GitHub accepts RSA, hence you can choose the (default)
Choose the key size

Next it will prompt you to enter the keysize. Enter the value
Note: GitHub recommends 4096 bits long

Choose the key validity period

next it will prompt you to specify the validity period of the key. Enter a desired value

0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years

Note: GitHub recommends to enter 0 = key does not expire

Enter personal details

GPG will then promt your Real name, email, and a comment. Fill them as requested

Enter passphrase

It will then ask for a passphrase to protect the new key. Enter a passphrase and remember it. It will ask you to repeat the pass phrase

Key generation complete

Your key is now generated. You can check for the key using this command

 

				
					$gpg --list-keys

Step 3: Create a secret key

to view the secret key
				
					$gpg --list-secret-keys --keyid-format=short
				
			
				
					sec   rsa4096/FB02FDC3 2024-09-06 [SC]
      8F3AC39235D25714A4F141E14821DBE9FB02FDC3
uid         [ultimate] Habibur Rahman <accounts@emon.no>
ssb   rsa4096/743EF7A4 2024-09-06 [E]

To view the key-id in the long format

				
					$gpg --list-secret-keys --keyid-format=long
				
			
				
					sec   rsa4096/4821DBE9FB02FDC3 2024-09-06 [SC]
      8F3AC39235D25714A4F141E14821DBE9FB02FDC3
uid                 [ultimate] Habibur Rahman <accounts@emon.no>
ssb   rsa4096/AA50607A743EF7A4 2024-09-06 [E]
the <full-fingerprint> is 8F3AC39235D25714A4F141E14821DBE9FB02FDC3
the <long-form-key-id-pub> is 4821DBE9FB02FDC3
the <long-form-key-id-sub> is AA50607A743EF7A4
the <short-form-key-id-pub> is FB02FDC3
the <short-form-key-id-sub> is 743EF7A4

 

# the <key-id> which we will use can either be:
<full-fingerprint>
<long-form-key-id-pub>
<short-form-key-id-sub>
Export the GPG key

To export the user’s secret (private) GPG key in ASCII-armored format, use the command below where the <key-id> can be <full-fingerprint>, <long-form-key-id-pub> or <short-form-key-id-sub>

				
					$gpg --armor --export <key-id>

#you will get a public key output like this

				
					-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGba5SgBEADHeUl53bC+Nf6pKt6Q6n8T9LrxSs3ukAjnZWs62KN5RD/ECxVY
Z9LN2T2dgaxJtm2DCfl8wlI6psDcLs/kRkS51qld+IaVFVb7ZVLsbnhsKL6AL9C9
5g4DDRLlr2OWi5H+pfu/v41g85KbRa2D9awIgAGjaLGaBnClAc0FQZWZ8vcgGTv0
fzgi+ZMUoI75TK83YTQNPFm49epFSQ5hcEiKliC/6KYa3YAD9ACi1KPAppEQs5zp
hwN35gTrhzIEMkcL2+CuVYZP3W7e8RQfilk3dpsymGPS4r+w9sH+0FMRhq46Kmav
oKhCgWCH7cxCspXcJ7U0SECwNF1cnavnURqC7QLp9NLwJHg+6FV4paDjVkucoMHY
kYSrJ4yBFmsYhHI7VrH9XWl0CjqjYzcRQgmUtQImOZPTMV9YV7JAvUunqeJURG67
LRPvZ4zBRtQM6obbQkWzORQy2wfwGFwKZksoKy46dNybOvjgTe87x0TjgTzxmpek
/AAV5i16hmUcvUMM4a4Ysx2FnsgBDRhB5nJqhZ1lFxG6BRZFFT9AztDwAdZLKJuf
KSUZ8VVEfTORVYnmq43B4F9PIHaqN1S9Cf9QkZZAYUkR6iwkz24m6EfqOhzqKPT7
EhpaptkfwTFoIZfaTJeJ2YqheXBBWM0H38GiaeE2vIdK7vF6B0L9qfdq9QARAQAB
tCFIYWJpYnVyIFJhaG1hbiA8YWNjb3VudHNAZW1vbi5ubz6JAk4EEwEKADgWIQSP
OsOSNdJXFKTxQeFIIdvp+wL9wwUCZtrlKAIbAwULCQgHAgYVCgkICwIEFgIDAQIe
AQIXgAAKCRBIIdvp+wL9wxY3EACwGzJlOjv6rlA4yqYCaDwt3efjMCCGOVj4xNqW
HTczEqtMSBxCOTItRBJopqHMzGj/KDTOTRPo0dyOUySqB39AjXknE1gwSNa/4UqT
bFu6L6N7TdK3RFkMIkZO0cOwVfw3zisHxU2WQ45S4ImWByA2pNZuNkasAFKxyxvP
iNJKlBNdOIEYuscpsLmxosP2P7l3/g4hHXj3rVeOr0yWzJJCUOvCTaf9JfxWja8T
s4SiFNOdL+gUg6kL7EBCsquU5j3hQdKwbR3bLBMSz/aCtJ3CzeKCskhAeoLhG9Ld
FwJKbmBVDq1GLK0zTazhAU2hdsQ2jmapd/oyGG8tArEqDMFMk8iZA4blnyTYCe47
4X6d6WCK+PBNSG5DAj50unpyxHrNFESq9OcRSH/YwNjmc7Q5ClSEQh7bcMrU+Qz7
JuBu1NLbzUkemTnX7YXJKwB+AuPJa9CHjNjApGE/NhaNVX5nV8HBFuAXQTWzmVwe
YWCSAyauqZSbKGWCjvH4HMtDh3YgsZObLodGwumf1zxT14Zr+uRXXEmmHNzUYBzf
m7TDASwkBhENp1Q9nWeIGo2bDqV0Ucgpnh1IjES51CVn0B1PG495TixX6syTVVkX
tNNEf4YqlwC37jf0MICAXkySRYwCTZqqT1LmA0vuOK1GPPx2yXoACpMALIKazOY4
TjSsWLkCDQRm2uUoARAAv5Kq3nmDJnlej5GgKkNLkHrQ3HQFH0/2FY/R8NgxNiVM
J+wURFSBjedLRXl2LKJOKdulxkFBQ5dJB8Nm1q5LsqnhsezIaZXLmJWALk+nZPPX
SpW4npqCUHLXKgyleF9+TLlkLCZx0IjtM9tWDxxJFhoXsLYkOjk41MimesrmoQ5i
krAaunts20I8jUHwtCybbxLMt1LKzJg7xpTrwkH8XPt1/UBs1oihU487pmbrEMzw
kR17EnDW1fOdJPKQFcAW8u5ID9UVn8askIJS2uwrVR78lfy5QKzMC6lZ1Th1DTuE
eKbvd3kPKQuwyY0tzdz0e27eb1hMt51O3hyujVC1FBh1hjtpEvaMWRW0uHOWt+pl
yfuWMfzmrB3sExYUzwD/VRwo2WJQhYAe8q0oynvLjppQsDkvmI7LXQDqct8elOLg
trD+eLBZdfl3nd3rBLVBNkI7ns/QPZmdp2HzRulopQEhyOfQQHZ1Hl99AI2bXBMV
cc1VjneZBRJeKkbYi+rHQZTTVcoLBSMAG+5/mHB+AFRjT0NFnvanWCNNtLyLCrwD
P1/qrWH+yE2j8ZmvIxSiqFawoLqDNlw74EoyzUXvM1k/6mxdVmI7Wnw8WJfSA4Tt
ngAxaGVU5aHiZNf0Lp2/u+6YM7idCuo6m5r27ul33626aptsmeJgiDjzrJrvwkEA
EQEAAYkCNgQYAQoAIBYhBI86w5I10lcUpPFB4Ugh2+n7Av3DBQJm2uUoAhsMAAoJ
EEgh2+n7Av3DodYP+waz6RwYw6rSiqMhBnziAaO82lnNtZTFZQ+nlrdZel7GuMCC
NdDZ0riDDddiDWoTmJw0nTJ4BDD13XVFhi/fwdqoM6qDnWg9lufbYZ1oCJjY910b
pz6idpXwMp1HibKYaasfym7Kovb0I6h++LZiSdl887XyFCPgfmG6hDFwqOH0nOnt
vM/8oHRVBGIBADN5sKC2yJPhLzfmAnOA+1yFydcR4zP+ekmJsgUdNy/mGMCM4RqY
SD49suJo/gghCoquw8eIOkOOiel3MDCgkhgO9bcvHwMbJ5/MoRM8bve8AsFiEEc8
wd/C1s/Coc7tTnbvWvyWYzFdq1QVgpRtVT6nbXeyzvDkasvlO0dLYglYFN27dLMP
e8S/muiDoKVtLulnXegxNcNT3NrdGmwC4zzIn8johmPrfMYrX+YxogaEgPMsv6D+
w4WJPJUQ96jFUHyEXfswQXF3UX4YcWdaRN3KNf82T72Q+Q2QhJJdSO78SJG1i1BP
QY5TPcCG3CFNNo9YXC3jgr9FHIn2FNiFA2Bu/YXak9lHOdJWJ2AbTzkbIWhqv64r
QOnMCvCGbjugMsztiWWYuv7TI2vlkzAhV5S7uYy1m2+2r+hLXG+wVT1uq/p7VqIa
l3H51hWeFIx9D3hJZ01DaWXS0EpVpElwYyKPK3MCRWOHHMy5+XCa8/WJmuxT
=8mW8
-----END PGP PUBLIC KEY BLOCK-----

This is the key that you need to register in your GitHub account, which will be discussed later.

Step 4: Configuring Git to use the signed keys

check the global git configuration values 
				
					$git config --global --list
(optional) delete a specific global configuration 
				
					$git config --global --unset <entry>

For example to deltete user.email, use git config –global –unset user.email

if there are multiple instances of an entry, use the command

				
					$git config --global --unset-all user.email
Configure signing key

the following entries are needed to configure GPG with GitHub apart from the “user.name” and “user.email”

in our example, the command should be

$git config –global user.signingkey 8F3AC39235D25714A4F141E14821DBE9FB02FDC3

you can also use the long or short or the full form, i.e. , or . Doesnt matter 🙂

				
					$git config  --global user.signingkey <key-id>
Enable the gpg sign commig and gpg sign on tags
				
					$git config --global commit.gpgsign true
$git config --global tag.gpgsign true

Configure GPG environment path

for linux: 
				
					$git config --global gpg.program gpg
for windows: 
				
					$git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"
for MacOS: 
				
					$git config --global gpg.program=/opt/homebrew/bin/gpg

if you want to find the path of gpg, you can find it using

				
					$which gpg
Verify git configuration
				
					$git config --global --list
				
			
				
					user.name=John Doe
user.email=john@dope.com
user.signingkey=8F3AC39235D25714A4F141E14821DBE9FB02FDC3
gpg.program=gpg
commit.gpgsign=true
tag.gpgsign=true
Export GPG TTY
				
					$export GPG_TTY=$(tty)
Share the Post:

Leave a Reply

Your email address will not be published. Required fields are marked *

Linkedin Researchgate Orcid Github Docker X-twitter Facebook Instagram Envelope