Why should I use git with GPG?
You probably missed this recent news from GitHub because it may sound like a marketing bullshit you can leave without. Actually, you can, but if you care about who exactly commits to your repo, you should not.
What’s it about?
In short:
For example, one can scam his investors showing them that Aaron Paterson is one of the collaborators in the project and that’s why they have to give more money =)
Yes, it’s just a funny example, but… you know.
A bit about GPG in Git and GitHub
When you’re building software with people from around the world, sometimes it’s important to validate that commits and tags are coming from an identified source. Git supports signing commits and tags with GPG and starting today GitHub will show you when commits and tags are signed.
Git supports signing using GPG for about 3-4 years and it is really strange that GitHub and GitLab ignored this =(
Signing Your Work Git is cryptographically secure, but it’s not foolproof. If you’re taking work from others on the internet and want to verify that commits are actually from a trusted source, Git has a few ways to sign and verify work using GPG.
Proof of Concept
You can set user name and email for any your repo using simple git config
command and you can take any:
1
2
$ git config user.name "Aaron Patterson"
$ git config user.email "tenderlove@github.com"
It’s a standard git’s behaviour: you will never be asked to verify your identity.
1
2
3
4
5
6
7
8
9
10
$ git commit -am "Updated readme"
[master 1d8e0ca] Updated readme
1 file changed, 1 insertion(+)
$ git push
Counting objects: 3, done.
Writing objects: 100% (3/3), 274 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To git@github.com:rrott/gpg_test.git
44fa75c..1d8e0ca master -> master
And here is the result in GitHub:
Repo: rrott/gpg_test
Detailed Screencast: Aaron Patterson’s commitst to my git
How to use GPG with git
Honestly, I am not going to describe each step as there are several manuals in GitHub, that has everything you need:
If you don’t have GPG key, use the following commands:
1
2
3
$ gpg --gen-key
$ gpg --list-secret-keys
$ gpg --armor --export roman.rott@gmail.com
And then add your newly created gpg key to GitHub.
Try to commit:
1
$ git commit -S -am "Committed with GPG"
That’s it:
How to set up git to use GPG with every commit
Just run 2 simple commands:
1
2
$ git config --global user.signingkey key-name
$ git config --global commit.gpgsign true
where key-name
- is the name of your GPG key.
It’s roman.rott@gmail.com
in my case.
Here is my GPG key to contact me securelly ;)
“I hope you enjoyed this article. Please have a good day!!” ©