Signing commits in git
Avg. 2 minute(s) of readingQuick PSA about signing git commits.
In GitLab and GitHub, you can now add a GPG key to your account. If you have a GPG key, the commits you sign will appear as verified: provides extra assurance that a commit originated from you, and not from an impersonator. It is also possible for repo owners to reject unsigned commits.
Generate a key
Generating a key is as easy as running one of following, and answering the questions:
gpg --gen-key;gpg --full-gen-key- more (advanced) options.
Find your key
If you run gpg --list-keys <EMAIL>, where <EMAIL> is the e-mail address
you used to create the key, you'll be able to see the ID of your key. For example:
> gpg --list-keys [email protected]
pub rsa4096 2022-05-04 [SC]
ABCDEF9876543210FEDCBA0123456789ABCDEF12
uid [ unknown] João Costa (Git commit signing key) <[email protected]>The key ID is ABCDEF9876543210FEDCBA0123456789ABCDEF12
Exporting the key
With gpg --armor --export <ID>, where <ID> is the ID of your key, you can export
your public key. Copy this to your GitLab/
GitHub account.
Config git
You can add the following to your git config to automatically sign commits when you make
them (<KEY-ID> is the ID of your key):
[user]
signingKey = <KEY-ID>
[commit]
gpgsign = trueConclusion
Remember:
- Don't share your private key;
- If you set a password for your key, you might need to enter if every time you commit:
- Search for
gpg caching password.
- Search for
Stay safe :P