Signing your commits on GitHub with a GPG key

Every time Chuck Harmston commits to GitHub he has that fancy [verified] tag next to his name and I'm super jealous.

I've been too lazy to add GPG signing to my Git commits because it seemed like too much work, but I had some free time this afternoon and Julien Vehent convinced me it wasn't that hard, so, here we are. Writing this post is partly to encourage everyone to sign their commits, and partly so I can find these steps again when I forget how to do it in the future.

I already have a gpg key I use for Mozilla things, so I'll start with that. Check out your current keys (if this list is empty, you'll need to make a key):

$ gpg --list-keys wclouser@mozilla.com
pub   4096R/4A403229 2013-08-19
uid                  Wil Clouser <wclouser@mozilla.com>
sub   4096R/B438E342 2013-08-19

I want to use a new subkey for GitHub signing, so I'll edit my existing master key and add a new one:

gpg --edit-key 4A403229
gpg> addkey
<I choose to add a 4096 bit RSA signing-only key which expires in two years>
gpg> save

Reviewing my new key:

$ gpg --list-keys wclouser@mozilla.com
pub   4096R/4A403229 2013-08-19
 uid                  Wil Clouser <wclouser@mozilla.com>
sub   4096R/B438E342 2013-08-19
sub   4096R/04D1111C 2016-08-30 [expires: 2018-08-30]

Adding the key to GitHub

Telling GitHub about the key is pretty straight forward. Firstly, get your public key:

$ gpg --armor --export 04D1111C
-----BEGIN PGP PUBLIC KEY BLOCK-----
  ...
  <many lines of text here>
  ...
-----END PGP PUBLIC KEY BLOCK-----

Next, load https://github.com/settings/keys and click New GPG Key. Then copy and paste the entire output from the command you ran above into the textarea on that page and click save.

Signing the commit

You're going to sign all your commits, right? So let's just add this thing globally (bonus note: you can add this, but it only works in git 2.0 and above. If you have an old version you'll need to add the -S flag to your git commit commands):

$ git config --global commit.gpgsign true

If you have more than one key you'll want to specify the key to use:

$ git config --global user.signingKey 04D1111C

You can change all this stuff in ~/.gitconfig if you'd rather adjust it directly. While you're in there, double check that the user.email value lines up with the email address assigned to your key and the email address that GitHub knows about or else you'll have a mismatch when you try to use it.

Ready to commit something? Edit your files like normal, and git commit. You'll be prompted for your GPG password (unless you use an agent, and you should) and everything else should just work like normal. Github will recognize the signed commit:

Transferring the key to your laptop

Transferring secret keys around always raises some eyebrows, but the reality is many of us make commits from multiple computers. As long as you protect the key in transit, this should be relatively secure. Firstly, export it into a couple of files:

gpg --export 04D1111C > key-pub.asc
gpg --export-secret-keys 04D1111C > key-sec.asc

Then securely transfer those files to your laptop (scp is a good choice) and run:

gpg --import key-pub.asc
gpg --import key-sec.asc

When you're done, securely delete the .asc files on both computers (I use shred but there are other options).

And that's it. Signed commits!

1 Comment

And a follow up if you don't want to type your password all the time, put the following in `~/.gnupg/gpg-agent.conf`:
default-cache-ttl 3942000
max-cache-ttl 3942000

-- Wil Clouser, 30 Nov 2016

Post a comment

All comments are held for moderation; basic HTML formatting accepted.

Name: