Signed Git commits

Felix

2 min read
Signed Git commits

Git is a powerful version control system that I have been using for quite some time for my own projects or the projects we do at the university. Recently, I stumbled across signed commits. You may be familiar with the green badges on GitHub when you commit to a repository directly from GitHub's web interface that says "Verified" next to your commit. I was curious how to archive these verified commits via the command line or an IDE like Visual Studio Code.

Git supports signed commits for quite some time (January 2012) and signed tags for even longer. This means that Git provides the ability to use the GNU Privacy Guard (GPG) to verify that commits actually come from a trusted source. GitHub marks signed commits with a green "verified" badge.

Set up GPG

First you need to install GPG on your system, either via a package manager (e.g. apt install gpg) or on Windows by installing Gpg4win.

You may want to verify that gpg has been installed successfully by calling the following command in the terminal or Windows PowerShell/CMD

$ gpg --version
gpg (GnuPG) 2.0.30 (Gpg4win 2.3.4)
libgcrypt 1.7.8

Next we need to import both our public and private keys. You may also have them exported in an .asc file. If you don't have any keys yet generated, then you first have to do so before we can continue and go straight to the Git setup part.

Set up Git

Now we need to tell Git about our GPG key, the signing key ID respectively. You can get this ID by using the following command and looking for the lines starting with sig

$ gpg --list-sigs

# Sometimes the above command doesn't work. In this case go with
$ gpg --list-signatures

$ git config --global user.signingkey YOURGPGSIGNATURE
$ git config --global commit.gpgsign true

Setup the Git server

We have to tell the Git server to recognize our public key. For that we need to export it.

$ gpg --armor --export

After that, open the file with your favorite text editor and copy the content to the clipboard. Now we need to navigate to the GPG settings on our Git server.
On GitHub, you need to navigate to Settings > SSH and GPG Keys > New GPG key.

Here we paste the key we just copied. After that, you should be able to see the GPG key in the web interface.

We should now be able to create signed commits!

netcup.de