Have you noticed some commits on GitHub are marked as Verified
? Do you want that fancy looking icon next to your GitHub commits?
Or Git history?
Here is how!
Contents
- Verify downloaded GPG installation package
- Create GPG signing key
- Update Git Bash to use new
gpg
installation - Configure Git
- Test Git commit signing
- Useful notes
๐
CyberEthical.Me
is maintained purely from your donations - consider one-time sponsoring with the Sponsor button or ๐ become a Patron which also gives you some bonus perks.
Verify downloaded GPG installation package
- Download GPG (GPG Binary releases) and
*.sig
file.- Windows: GnuPG simple installer (CLI tools)
Import GnuPG public keys with verified
gpg
binary.- Use
gpg
that comes with Git installation fromGit Bash
where gpg gpg --version
- Go to GnuPG public keys reference page and keep it open.
- Copy public key block and save it under
*.asc
file - Import GnuPG public keys
gpg --import gnugp.asc
- Verify that keys are imported. Notice they are initially untrusted.
gpg --list-keys --keyid-format LONG
Note the
key-id
that identifies key on the current environmentpub rsa2048/249B39D24F25E3B6 2011-01-12 [SC] [expires: 2021-12-31]
Verify that imported keys matches keys on the GnuPG public keys reference page. Trust each key by using following command. Use ultimate trust.
gpg --edit-key {key-id} trust
Verify that GnuPG keys are trusted (expired ones won't show the ultimate trust flag)
$ gpg --list-keys --keyid-format LONG pub rsa2048/249B39D24F25E3B6 2011-01-12 [SC] [expires: 2021-12-31] D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 uid [ultimate] Werner Koch (dist sig) pub rsa2048/2071B08A33BD3F06 2014-10-29 [SC] [expired: 2020-10-30] 031EC2536E580D8EA286A9F22071B08A33BD3F06 uid [ expired] NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org> pub rsa3072/BCEF7E294B092E28 2017-03-17 [SC] [expires: 2027-03-15] 5B80C5754298F0CB55D8ED6ABCEF7E294B092E28 uid [ultimate] Andre Heinecke (Release Signing Key) pub ed25519/528897B826403ADA 2020-08-24 [SC] [expires: 2030-06-30] 6DAA6E64A76D2840571B4902528897B826403ADA uid [ultimate] Werner Koch (dist signing 2020)
- Use
- Verify installation package. Read Integrity check by GnuPG team. If previous steps was done correctly, similar message should be displayed, otherwise refer to the aforementioned Integrity check.
gpg: Signature made 07-04-2021 20:06:23 Central European Daylight Time gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA gpg: Good signature from "Werner Koch (dist signing 2020)" [ultimate]
- Install
gpg
.
Back to top โคด
Post-install steps
- Open Windows command prompt and configure new installation.
- Verify version and location of
gpg
where gpg gpg --version
- Verify version and location of
- If
gpg
report with language different that English set environment variable LANG=C. Restart command prompt. - Import GnuPG keys as described before. Ensure they are trusted.
Back to top โคด
Create GPG signing key
Create GPG key for Git signing. When key is purposed to be used on a Github follow latest instructions.
gpg --full-generate-key
Update Git Bash to use new gpg
installation
- Validate - if Git Bash is still using its own keyring, new key should be visible only on command prompt. Run listing command in both command prompt and bash shell.
gpg --list-keys
- Append path to the
gpg
in the{SYSTEMDRIVE}/Users/{PROFILE}/.bash_profile
(create file if needed)alias gpg="'C:\Program Files (x86)\gnupg\bin\gpg.exe'"
- Restart Git Bash to apply changes.
Back to top โคด
Configure Git
- Add following config changes globaly. Setting
commit.gpgsign
totrue
enables signing each commit by default. Without this each commit would have to be implicitly marked to be signed with-S
flag (ex.commit -S -m "Add new file"
)git config --global gpg.program {PATH_TO_GPG} git config --global user.signingkey {KEY_ID} git config --global commit.gpgsign true
- Depending on the preferences, default behaviour for annotated tags can be changed by modyfing following config.
git config --global tag.forceSignAnnotated true
Test Git commit signing
- Create temporary repository.
mkdir test-repo cd test-repo git init
- Add empty commit and verify that you are prompted for the GPG key passphrase.
git commit --allow-empty -m "Signed commit"
Sign can be verified using following methods.
$ git verify-commit 64796ee gpg: Signature made 14-04-2021 10:00:09 Central European Daylight Time gpg: using RSA key 551760C1C76669F30FEFCDAF59DCC37EB7307329 gpg: Good signature from "Kamil Gierach-Pacanek (Git signing key) <****@******.com>" [ultimate]
$ git show --show-signature 64796ee commit 64796eeea6be5742828f5269a35585c98f02d3c2 (HEAD -> master) gpg: Signature made 14-04-2021 10:00:09 Central European Daylight Time gpg: using RSA key 551760C1C76669F30FEFCDAF59DCC37EB7307329 gpg: Good signature from "Kamil Gierach-Pacanek (Git signing key) <****@******.com>" [ultimate] Author: Kamil Gierach-Pacanek <****@******.com> Date: Wed Apr 14 09:59:52 2021 +0200 Signed commit
Back to top โคด
Useful notes
๐ Follow the
#CyberEthical
hashtag on the social media๐ Become a Patron and gain additional benefits
๐ Instagram: @cyber.ethical.me
๐ LinkedIn: Kamil Gierach-Pacanek
๐ Twitter: @cyberethical_me
๐ Facebook: @CyberEthicalMe
Resetting gpg-agent
In case following error occurs during the commit phase:
gpg: can't connect to the agent: IPC connect call failed
gpg: keydb_search failed: No agent running
gpg: skipped "34A91BE1A93DDAF6": No agent running
gpg: signing failed: No agent running
error: gpg failed to sign the data
fatal: failed to write commit object
Run the following command to reload the agents.
gpgconf --kill gpg-agent gpg-connect-agent reloadagent /bye
GPG failed to sign the data
First, ensure your username and email are the same that was used for the GPG key.
$ git config --get-all user.name
$ git config --get-all user.email
$ gpg -K --keyid-format SHORT
If so, the problem most certainly lies on the GPG itself. Try following command:
$ echo "test" | gpg --clearsign
If error message is saying
gpg: signing failed: Inappropriate ioctl for device
gpg: [stdin]: clear-sign failed: Inappropriate ioctl for device
Run below command and try again:
$ export GPG_TTY=$(tty)
Tip about exporting GPG_TTY variable sourced from here
Back to top โคด