How to use GPG signature verification with git?
You probably missed this recent news from GitHub because it may sound like marketing bullshit you can leave without. Actually, you can, but if you care about who exactly commits to your repo, you should not.
You can easily impersonate commits, as demonstrated in the following example, where Aaron Paterson is listed as one of the contributors in the project, even though he is not.
What are the benefits of using GPG with git?
Git itself is cryptographically secure, but it’s not foolproof. If you’re taking work from others on the internet and want to verify that commits are actually from a trusted source, Git has a few ways to sign and verify work using GPG.
Commits and tags can be signed using GPG in Git, and both GitHub and GitLab will indicate when commits and tags have been signed.
With a simple
git config command, you can set any username or email, whether it is real, fake, or impersonated, for any of your repositories:
1 2 $ git config user.name "Aaron Patterson" $ git config user.email "email@example.com"
The verification of your identity is not prompted, as it follows the standard behavior of Git.
1 2 3 4 5 6 7 8 9 10 $ git commit -am "Updated readme" [master 1d8e0ca] Updated readme 1 file changed, 1 insertion(+) $ git push Counting objects: 3, done. Writing objects: 100% (3/3), 274 bytes | 0 bytes/s, done. Total 3 (delta 0), reused 0 (delta 0) To firstname.lastname@example.org:rrott/gpg_test.git 44fa75c..1d8e0ca master -> master
And here is the result as it is shown on GitHub:
Repo to check: rrott/gpg_test
What is the process of integrating GPG with git?
I won’t cover each step in detail since there are already comprehensive guides available on GitHub that cover everything you need:
If you don’t have a GPG key, use the following commands to generate it:
1 2 3 $ gpg --gen-key $ gpg --list-secret-keys $ gpg --armor --export email@example.com
Add your newly created GPG key to GitHub and then try to commit something once again:
1 $ git commit -S -am "Committed with GPG"
How to set up git to use GPG with every commit
Just run 2 simple commands:
1 2 $ git config --global user.signingkey key-name $ git config --global commit.gpgsign true
key-name is the name of your GPG key.
Here is my GPG key for secure communication with me ;)
“I hope you enjoyed this article. Please have a good day!!” ©