X
Roman Rott's web projects' screenshots preview
Roman Rott's web projects' screenshots preview
Loading...
  1. Home
  2. Blog
  3. security
  4. Why should I use git with GPG?

How to use GPG signature verification with git?

You probably missed this recent news from GitHub because it may sound like marketing bullshit you can leave without. Actually, you can, but if you care about who exactly commits to your repo, you should not.

In short:

You can easily impersonate commits, as demonstrated in the following example, where Aaron Paterson is listed as one of the contributors in the project, even though he is not.

Aaron Patterson Commitst to my git

What are the benefits of using GPG with git?

Git itself is cryptographically secure, but it’s not foolproof. If you’re taking work from others on the internet and want to verify that commits are actually from a trusted source, Git has a few ways to sign and verify work using GPG.

source

Commits and tags can be signed using GPG in Git, and both GitHub and GitLab will indicate when commits and tags have been signed.

The Attack

With a simple git config command, you can set any username or email, whether it is real, fake, or impersonated, for any of your repositories:

1
2

$ git config user.name "Aaron Patterson"
$ git config user.email "tenderlove@github.com"

The verification of your identity is not prompted, as it follows the standard behavior of Git.

1
2
3
4
5
6
7
8
9
10

$ git commit -am "Updated readme"
[master 1d8e0ca] Updated readme
 1 file changed, 1 insertion(+)

$ git push
Counting objects: 3, done.
Writing objects: 100% (3/3), 274 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To git@github.com:rrott/gpg_test.git
   44fa75c..1d8e0ca  master -> master

And here is the result as it is shown on GitHub:

Aaron Patterson Commitst to my git

Repo to check: rrott/gpg_test

What is the process of integrating GPG with git?

I won’t cover each step in detail since there are already comprehensive guides available on GitHub that cover everything you need:

All about GPG in github

Generating a GPG key

Git Tools - Signing Your Work

If you don’t have a GPG key, use the following commands to generate it:

1
2
3

$ gpg --gen-key
$ gpg --list-secret-keys
$ gpg --armor --export roman.rott@gmail.com

Add your newly created GPG key to GitHub and then try to commit something once again:

1

$ git commit -S -am "Committed with GPG"

That’s it:

Commit in GitHub signed by gpg

How to set up git to use GPG with every commit

Just run 2 simple commands:

1
2

$ git config --global user.signingkey key-name
$ git config --global commit.gpgsign true

where key-name is the name of your GPG key.

Here is my GPG key for secure communication with me ;)

“I hope you enjoyed this article. Please have a good day!!” ©

Keep having a good day!