My scrapbook about anything which I learned or want to remember, Sometime about tech tips, thoughts and rambling. If you find anything useful don't forget to give thumbs-up :)

Breaking

Thursday, February 8, 2024

Sign your Github Commit with GPG or SSH Key

GPG Key is your identity in digital world as there are very rare chances (almost nil) for regeneration of same GPG keys twice, hence you must safe keep your GPG keys as malicious personnel can use this key (if stolen) to represent you. Github allows you to sign your git commits with your GPG key which is to prove that It was you and only you have made this commit. It's pretty straightforward if you followed below steps -

Steps:

  • First. Reset if you have GPG key setup for Git, You can skip this step if not. 
    git config --global --unset gpg.format
    
    
  • List your GPG Key/s
    gpg --list-secret-keys --keyid-format=long
    This will display the output as below - 
    > gpg --list-secret-keys --keyid-format=long
    /home/atul/.gnupg/pubring.kbx
    -----------------------------
    sec   ed25519/DC720CCF9BCEDF17 2023-09-08 [SC] [expires: 2026-12-07]
          E4458C3F9BCEDF17CF9BCEDF1728DC720CCF9BCEDF17
    uid                 [ultimate] AtulS (Encrypt n Sign Key for AtulS) <dummy@mail.com>
    ssb   cv25519/E4458C3F9BCEDF17 2023-09-08 [E] [expires: 2026-12-07]
    Your KEY-ID is DC720CCF9BCEDF17  ( line starts from "sec" ) 

  • Now, Let Git know to use this KEY ID 
    git config --global user.signingkey DC720CCF9BCEDF17

  • Last configure Git to Sign all the commits with this key
    git config --global commit.gpgsign true

    As GPG keys are password protected, Git will ask the GPG key password to sign the commits in each new terminal which is kind of a hassle but this is what it make this more secure. There are some agent tools available which you can use to keep the GPG key open in the terminal, but personally, I will not advise to use those. 

    Below is the screenshot of not-signed and signed git commit - 






                                                                                                                                                                                                                                                                                                                                                   You can use SSH key as well to sign your commits (if don't want to manage one another additional key), All the commands are pretty much same. 
  • # Unset the existing GPG config
    git config --global --unset gpg.format
    
    # Use SSH for GPG signing
    git config --global gpg.format ssh
    
    # Config the SSH key which sign the commit
    git config --global user.signingkey "$(cat $HOME/.ssh/id_ed25519.pub)"
    
    # Enable the commit signing
    git config --global commit.gpgSign true
    

    Now, you can choose which way you want to go, If you are not using GPG keys at all, use SSH way else you know what to do :-) 

            


    Like the below page to get the update  

    Facebook Page      Facebook Group      Twitter Feed      Telegram Group


No comments:

Post a Comment

Disclaimer

The postings on this site are my own and don't necessarily represent IBM's or other companies positions, strategies or opinions. All content provided on this blog is for informational purposes and knowledge sharing only.
The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of his information.