Versions Compared

Old Version 4

changes.mady.by.user John McKeever

Saved on

compared with

New Version 5

changes.mady.by.user John McKeever

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Making a commit verified involves signing it cryptographically using a GPG key.

...

Why Sign Git Commits?

Before we get into the how let’s talk for a moment about why you should sign your Git commits. Besides the desire to get that green “Verified” badge on your work on GitHub, there are some concrete benefits.

...

For your own projects, if your Git hosting service allows that, you can also require a policy that all commits must be signed. On GitHub, that’s done with protected branches.

Cryptographic Signatures and GPG

If you’ve never heard of cryptographic signatures or GPG, this brief, simplified explanation might help you.

Asymmetric cryptography

You might have heard that there are two main kinds of cryptographic algorithms: symmetric and asymmetric ones. Symmetric cryptography is the most understood one: first you encrypt your data using a passphrase, and then you use the same passphrase to decrypt the message and get it in clear-text again. If you want to share the encrypted data with another person, you need to give them the passphrase too. This is how algorithms like AES work, conceptually.

...

In addition to encrypting data, asymmetric cryptography can also be used to sign messages (and verify signatures). This works the opposite way: You sign a message using your private key, and others can verify the signature using your public key.

About signatures

When you sign a message, you’re adding a cryptographically strong proof that you ( or someone in possession of your private key) wrote it and that the message was not tampered with.

...

To do that, you have to do two things in principle:

  1. You calculate a hash (or checksum) of your message. You can use a hashing function such as SHA-256. As you know, hashing functions are one-way operations that generate a unique set of bytes from each message, and they cannot be reversed. The hex-encoded SHA-256 digest of “You and I will meet tomorrow at 11:30 a.m.” is: 579c4547d8dec2c4513de8c858a490a8a2679db205a0b3471f81d5b129d29b88. If you changed even just one bit in the original message (e.g., change the time to 11:31 a.m.), the final digest would be completely different (try it).

  2. You use your private key to sign the calculated hash, using algorithms like RSA.

You can now send the signature together with the clear-text message, and your friend will have no doubt that you were the one writing those precise words.

Note that signatures are added to clear-text messages. Signing a message alone does not encrypt it! So, anyone could still read your original message and could see that you signed it. It is possible to use RSA to both sign and encrypt a message, and that’s what’s called authenticated encryption, but that’s outside the scope of this article.

GPG: the GNU privacy guard

By now, I hope you at least have a general understanding of the idea behind asymmetric cryptography. Let’s see how we can use it.

...

For example, my public key’s ID is 0x30a525d4, which also maps to [email protected]. One of the sub-keys, 0x4b33ea4c is used for signing, and that's what is used to sign my Git commits too.

...

Set Up Your Git to Sign Commits

Ok, we’re finally ready to get started.

Install GPG

Besides Git, the only requirement is that you must have GPG installed. We recommend using GPG version 2.2 or higher:

...

Code Block
export GPG_TTY=$(tty)
gpgconf --launch gpg-agent

Generate a GPG key pair

To start, generate a new GPG key pair (public and private):

...

gpgconf --kill gpg-agent && gpgconf --launch gpg-agent

Add multiple emails

You can add multiple email addresses by editing the key:

...

Lastly, save and exit with:

Code Block
gnupg> save

Configure Git to sign your commits

Once you have your private key, you can configure Git to sign your commits with that:

...

Code Block
git config --global commit.gpgSign true
git config --global tag.gpgSign true

Add the GPG key to GitHub

In order for GitHub to accept your GPG key and show your commits as “verified,” you first need to ensure that the email address you use when committing a code change is both included in the GPG key and verified on GitHub.

...

Your public GPG key begins with -----BEGIN PGP PUBLIC KEY BLOCK----- and ends with -----END PGP PUBLIC KEY BLOCK-----.

Make a signed commit

After configuring all of the above, your Git commits can now be signed with your GPG key:

...