FlyBot's blog

How to sign your commits on GitHub

How to sign your commits on GitHub

FlyBot's photo
FlyBot
·

3 min read

When working with some projects there is a need to sign your pull request. You can sign your work locally using GPG or S/MIME. GitHub will verify these signatures so other people will know that your commits come from a trusted source.

Generating a new GPG key in Terminal.

$ gpg --full-generate-key

At the prompt, specify the kind of key you want, or press Enter to accept the default RSA and DSA. Enter the desired key size. Your key must be at least 4096 bits. Enter the length of time the key should be valid. Press Enter to specify the default selection, indicating that the key doesn't expire. Verify that your selections are correct. Enter your user ID information. Type a secure passphrase. List GPG keys for which you have both a public and private key. A private key is required for signing commits or tags.

$ gpg --list-secret-keys --keyid-format LONG

From the list of GPG keys, copy the GPG key ID you'd like to use. In this example, the GPG key ID is 3AA5C34371567BD2:

$ gpg --list-secret-keys --keyid-format LONG
/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid                          Hubot 
ssb   4096R/42B317FD4BA89E7A 2016-03-10

Paste the text below, substituting in the GPG key ID you'd like to use. In this example, the GPG key ID is 3AA5C34371567BD2:

$ gpg --armor --export 3AA5C34371567BD2
# Prints the GPG key ID, in ASCII armor format

Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

Adding a new GPG key to your GitHub account

  • In the upper-right corner of any page, click your profile photo, then click Settings.
  • In the user settings sidebar, click SSH and GPG keys.
  • Click New GPG key.
  • In the "Key" field, paste the GPG key you copied when you generated your GPG key.
  • Click Add GPG key.
  • To confirm the action, enter your GitHub password.

Telling Git about your signing key

To set your GPG signing key in Git, paste the text below, substituting in the GPG key ID you'd like to use. In this example, the GPG key ID is 3AA5C34371567BD2:

$ git config --global user.signingkey **3AA5C34371567BD2**

Signing commits

When committing changes in your local branch, add the -S flag to the git commit command:

$ git commit -S -m your commit message
# Creates a signed commit

If you're using GPG, after you create your commit, provide the passphrase you set up when you generated your GPG key. When you've finished creating commits locally, push them to your remote repository on GitHub:

$ git push
# Pushes your local commits to the remote repository

That's all.

GitHubGit