Skip to content
Mighten's Blog

Type to search…

to navigate
Esc

How to Sign Our Git Commits with GPG

How to sign a git commit: In this post, we talk about how to use GPG to sign a Git commit.

2 min read

Hello!

Today, let’s talk about signing a git commit with GPG, an encryption engine for signing and signature verification.

When it comes to work across the Internet, it’s recommended that we add a cryptographic signature to our commit, which provides some sort of assurance that a commit is originated from us, rather than from an impersonator.

This blog is based on the following environments:

  • Windows 10 x64-based
  • Ubuntu 20.04 LTS, Windows Subsystem Linux (WSL) version 2

In this section, we will install GPG, and config it.

Terminal window
$ sudo apt-get install gnupg

And it’s done. Next, we have to configure it.

Firstly, we will append these two lines to the profile file. In this case, I am using bash. So I will open ~/.bashrc, and append:

Terminal window
export GPG_TTY=$(tty)
gpgconf --launch gpg-agent

After saving these contents, we will go to the terminal, and type this command to validate settings:

Terminal window
$ source ~/.bashrc

And the GPG is ready to go.

Just type this command:

Terminal window
$ gpg --full-gen-key

Note:

  1. What kind of key you want: RSA and RSA (default)
  2. What keysize do you want: 4096
  3. How long the key should be valid: 0 (key does not expire)
  4. Is this correct: Y
  5. Real Name: (Your GitHub Name)
  6. E-mail: (Your GitHub Email), and it MUST MATCH your GitHub account !!!
  7. Comment: (Leave your note for that key)

Now that the keys are generated, we need to add the Public Key to GitHub Setting pages.

To fill in the contents, we go back to the Terminal, and type these commands to get GPG Public Key:

Terminal window
# (1) List all the keys
$ gpg --list-secret-keys --keyid-format=long


# And it shows the following contents: (* hidden for privacy)
#    sec   rsa4096/********** 2022-05-20 [SC]
#          ED0BEFAC1E5C4681F0A0FEF0E97461039812B753
#    uid                 [ultimate] Mighten Dai <mighten@outlook.com>
#    ssb   rsa4096/********** 2022-05-20 [E]


# (2) Display the associate Public Key
$ gpg --armor --export ED0BEFAC1E5C4681F0A0FEF0E97461039812B753 # copy from above

and this command will shows the required Public Key like that:

-----BEGIN PGP PUBLIC KEY BLOCK-----


.........
-----END PGP PUBLIC KEY BLOCK-----

In SSH and GPG Keys of your GitHub Settings, click New GPG Key, and it prompts Begins with '-----BEGIN PGP PUBLIC KEY BLOCK-----', which exactly is the contents above.

In Section 2.2, my Private Key shown as ‘ED0BEFAC1E5C4681F0A0FEF0E97461039812B753’, so I just open the configuration file ~/.gitconfig and change the following properties:

[user]
    name = Mighten Dai
    email = mighten@outlook.com
    signingKey = ED0BEFAC1E5C4681F0A0FEF0E97461039812B753
[commit]
    gpgsign = true
[gpg]
    program = /usr/bin/gpg

And it’s done.

Terminal window
$ git add .
$ git commit -S -m "This is a commit with PGP Signature"

In this section, we talk about other usage of GPG

If you just want to sign a plaintext, you just type with a Pipe command | like this:

Terminal window
echo "Signing a plaintext" | gpg --clearsign

and it immediately shows:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Signing a plaintext
-----BEGIN PGP SIGNATURE-----


iQIzBAEBCgAdFiEE7QvvrB5cRoHwoP7w6XRhA5gSt1MFAmRxbSoACgkQ6XRhA5gS
t1OfvA/+IGNwwCfJmwkb2LjhUQgACcUedCS6/VGb7uek7PQwQJr6Aid4hp7cguVz
lfGpadKTi6chokwcRgwjjuaCd/DFabaHs5e03Q2nn8qqE5Gx+chNcG/+9/cuDRxa
JnyEiqTUY62UIGY6+WVYgKE/+T3CpRX3wdLYC3n0InyctdJZNIIycX/IragUhXAh
VSZc66QxA60zgNFXzypMyl8NfxmDQKdE8IkCOgiPgHhat0dDQxQQd6zqSmTdQM8P
OXpLpT0ryXI9ZnqkOk/gN9mUrncpilelE2J6NgMKbe0lOGNP45F9GQMxqVUQqw/1
i6rCTV4gLR+Xmfaydo9fFj5p5mB7VK8IPZGh5Q7RM722D4NxJfaIekhlD1Sy32cP
wp0581fHLk778ngz6jomNt/srND5xf13cStdHSxSMwHS8PXxyh5rUs5KtTDH7srg
U19l8rdgr9TBl6/ydBlL0aepGQW95KA0loxW2mwrpsEG8Ii1fZ2kMWqR17dPxwoe
7O3BbeGW0k9Ur3MSm8m5jP2OKvDm62cMiLnUYP3LKakKGL4PBeer26NWK+4dXhi6
0/ohXd7GGa1zuhChFwj0/pqzjYU2PQLUUOb1/UXKXmpGvu/GvGvZ1Slu0VOKUVil
dXv1cxUHgINY6CvoCdH6gxuKmz1K4B8TXqZ4wzMj4FLx/10PtPk=
=tIWQ
-----END PGP SIGNATURE-----

And if some guy send you these thing, you can verify by:

Terminal window
$ gpg --verify signedMsg.txt
gpg: Signature made Fri May 20 15:51:09 2022 CST
gpg:                using RSA key ED0BEFAC1E5C4681F0A0FEF0E97461039812B753
gpg: Good signature from "Mighten Dai <mighten@outlook.com>" [ultimate]

It seems that this message is good. What if we want to tamper with this message

Terminal window
$ gpg --verify signedMsg-tampered.txt
gpg: Signature made Fri May 20 15:51:09 2022 CST
gpg:                using RSA key ED0BEFAC1E5C4681F0A0FEF0E97461039812B753
gpg: BAD signature from "Mighten Dai <mighten@outlook.com>" [ultimate]

So, now we can see the bad message detected.

In this section, I will verify the integrity of online files.

I have downloaded the file gnupg-2.4.2.tar.bz2.sig and its signature file gnupg-2.4.2.tar.bz2, I can verify by:

Terminal window
# 1. acquire Public Key of the publisher,
#      e.g., https://gnupg.org/signature_key.html
$ gpg --import  public_key.asc
...
gpg: Total number processed: 4
gpg:               imported: 4
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u


# 2. verify the file
$ gpg --verify gnupg-2.4.2.tar.bz2.sig  gnupg-2.4.2.tar.bz2
gpg: Signature made 5/30/2023 8:27:44 PM China Standard Time
gpg:                using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: Good signature from "Werner Koch (dist signing 2020)" [unknown]
...


# 3. List all the keys
$ gpg --list-keys


# 4. Delete keys that are temporarily imported
$ gpg --delete-key  < The keyID you want to delete >