Why should I use git with GPG?

You probably missed this recent news from GitHub because it may sound like a marketing bullshit you can leave without. Actually, you can, but if you care about who exactly commits to your repo, you should not.

What’s it about?

In short:

For example, one can scam his investors showing them that Aaron Paterson is one of the collaborators in the project and that’s why they have to give more money =)

Yes, it’s just a funny example, but… you know.

Aaron Patterson Commitst to my git

A bit about GPG in Git and GitHub

When you’re building software with people from around the world, sometimes it’s important to validate that commits and tags are coming from an identified source. Git supports signing commits and tags with GPG and starting today GitHub will show you when commits and tags are signed.

Git supports signing using GPG for about 3-4 years and it is really strange that GitHub and GitLab ignored this =(

Signing Your Work Git is cryptographically secure, but it’s not foolproof. If you’re taking work from others on the internet and want to verify that commits are actually from a trusted source, Git has a few ways to sign and verify work using GPG.

source

Proof of Concept

You can set user name and email for any your repo using simple git config command and you can take any:

1
2
$ git config user.name "Aaron Patterson"
$ git config user.email "tenderlove@github.com"

It’s a standard git’s behaviour: you will never be asked to verify your identity.

1
2
3
4
5
6
7
8
9
10
$ git commit -am "Updated readme"
[master 1d8e0ca] Updated readme
 1 file changed, 1 insertion(+)

$ git push
Counting objects: 3, done.
Writing objects: 100% (3/3), 274 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To git@github.com:rrott/gpg_test.git
   44fa75c..1d8e0ca  master -> master

And here is the result in GitHub:

Aaron Patterson Commitst to my git

Repo: rrott/gpg_test

Detailed Screencast: Aaron Patterson’s commitst to my git


How to use GPG with git

Honestly, I am not going to describe each step as there are several manuals in GitHub, that has everything you need:

All about GPG in github

Generating a GPG key

Git Tools - Signing Your Work

If you don’t have GPG key, use the following commands:

1
2
3
$ gpg --gen-key
$ gpg --list-secret-keys
$ gpg --armor --export roman.rott@gmail.com

And then add your newly created gpg key to GitHub.

Try to commit:

1
$ git commit -S -am "Committed with GPG"

That’s it:

Commit in GitHub signed by gpg


How to set up git to use GPG with every commit

Just run 2 simple commands:

1
2
$ git config --global user.signingkey key-name
$ git config --global commit.gpgsign true

where key-name - is the name of your GPG key. It’s roman.rott@gmail.com in my case.

Here is my GPG key to contact me securelly ;)


“I hope you enjoyed this article. Please have a good day!!” ©

Keep having a good day!


comments powered by Disqus