Signing your GitHub commits using GPG keys on Windows
Why should you sign a git commit?
By default, git takes the author information for a commit from the git configuration. This means that someone can edit their git config to impersonate me. All you need to do is to edit your commit email and name in git config to match mine and your commits will be shown as mine. This is technically not a vulnerability as this is how the system is supposed to work. It trusts people to report who they are.
So, how do I know for sure a commit is made by the author?
That is where the signing comes in. You can use a sign a git commit on your local machine and add the public key to your GitHub/GitLab profile. If the signature in the commit matches the one in your profile, your commit will be shown as verified.
Setting up your local machine
For signing the commits we make use of the GNU Privacy Guard or GPG. If you have git bash installed on your computer, then open git bash and run the following code and follow the steps in the CLI.
- The CLI will now prompt you to choose the key type. Select the RSA(sign only) key type.
- Now enter the key size (any value between 1024 and 4096) and how long the key should be valid for.
- The CLI will now ask for your name. You can provide you GitHub username here if you want. In the email address field enter the email address you use for the commit. For GitHub, it will usually be
<your-username>@users.noreply.github.com. For using this key with GitLab you will also need to add GitLab’s commit email which can be done later. For creating the GPG key use any one key here.
- You will now have to enter a passphrase which will be used to encrypt the key on disk. Remember or note this passphrase, as you will need to enter it everytime you make a commit.
- The CLI will successfully generate and save the GPG Key.
Run the following command
gpg --list-secret-keys --keyid-format SHORT
You should get an output like the following,
sec rsa3500/ABCD1234 2021-04-29 [SC] [expires: 2021-04-29]
ABCD1234 represents the short id for this key.
Adding second email
Replace the ABCD1234 with your key’s short id.
Execute the command
gpg --edit-key ABCD1234
You will now enter into the GPG key menu. Execute the command
Enter the name, email and comment as you have done in the previous step and execute command
save. Otherwise the email will not be added.
Configuring Git & VS Code
We will now add the generated GPG key to your git config using the following command
git config --global user.signingkey ABCD1234 git config --global gpg.program $(which gpg)
For signing with git you can sign individual commit by adding a
-s to the commit message like
git commit -s. If you want to sign all the commits then update git config to the following.
git config --global commit.gpgSign true git config --global tag.gpgSign true
On VS Code, you can turn on Enable commit signing(git.enableCommitSigning) setting to sign all commits.
Adding your key to GitHub / GitLab
Run the following command to obtain the public key.
gpg --armor --export ABCD1234
Copy down the public key along with the Begin and End section comments. You can now add this public key your GitHub or GitLab account.
- Adding a new GPG key to your GitHub account - GitHub Docs
- Adding a GPG key to your account - GitLab Docs
Deleting your older keys from GitHub / GitLab
Deleting your older keys from GitLab will only prevent new commits from using that key from being marked as verified. Your older commits will still be verified. There is a separate Revoke action for that.
But in GitHub if you delete your GPG key your older commits will become unverified instantly.