Mastodon

Signing your GitHub commits using GPG keys on Windows

Apr 29, 2021 by Kolappan N

Why should you sign a git commit?

By default, git takes the author information for a commit from the git configuration. This means that someone can edit their git config to impersonate me. All you need to do is to edit your commit email and name in git config to match mine and your commits will be shown as mine. This is technically not a vulnerability as this is how the system is supposed to work. It trusts people to report who they are.

So, how do I know for sure a commit is made by the author?

That is where the signing comes in. You can use a sign a git commit on your local machine and add the public key to your GitHub/GitLab profile. If the signature in the commit matches the one in your profile, your commit will be shown as verified.

Setting up your local machine

For signing the commits we make use of the GNU Privacy Guard or GPG. If you have git bash installed on your computer, then open git bash and run the following code and follow the steps in the CLI.

gpg --full-gen-key
  1. The CLI will now prompt you to choose the key type. Select the RSA(sign only) key type.
  2. Now enter the key size (any value between 1024 and 4096) and how long the key should be valid for.
  3. The CLI will now ask for your name. You can provide you GitHub username here if you want. In the email address field enter the email address you use for the commit. For GitHub, it will usually be <your-username>@users.noreply.github.com. For using this key with GitLab you will also need to add GitLab’s commit email which can be done later. For creating the GPG key use any one key here.
  4. You will now have to enter a passphrase which will be used to encrypt the key on disk. Remember or note this passphrase, as you will need to enter it everytime you make a commit.
  5. The CLI will successfully generate and save the GPG Key.

Run the following command

gpg --list-secret-keys --keyid-format SHORT

You should get an output like the following,

sec rsa3500/ABCD1234 2021-04-29 [SC] [expires: 2021-04-29]

The ABCD1234 represents the short id for this key.

Adding second email

Replace the ABCD1234 with your key’s short id.

Execute the command

gpg --edit-key ABCD1234

You will now enter into the GPG key menu. Execute the command

adduid

Enter the name, email and comment as you have done in the previous step and execute command save. Otherwise the email will not be added.

Configuring Git & VS Code

We will now add the generated GPG key to your git config using the following command

git config --global user.signingkey ABCD1234
git config --global gpg.program $(which gpg)

For signing with git you can sign individual commit by adding a -s to the commit message like git commit -s. If you want to sign all the commits then update git config to the following.

git config --global commit.gpgSign true
git config --global tag.gpgSign true

On VS Code, you can turn on Enable commit signing(git.enableCommitSigning) setting to sign all commits.

Adding your key to GitHub / GitLab

Run the following command to obtain the public key.

gpg --armor --export ABCD1234

Copy down the public key along with the Begin and End section comments. You can now add this public key your GitHub or GitLab account.

Deleting your older keys from GitHub / GitLab

Deleting your older keys from GitLab will only prevent new commits from using that key from being marked as verified. Your older commits will still be verified. There is a separate Revoke action for that.

But in GitHub if you delete your GPG key your older commits will become unverified instantly.