Skip to content

Instantly share code, notes, and snippets.

@2oji

2oji/VerifyCommitSignatures.md

Last active February 13, 2025 09:53
Show Gist options
  • Save 2oji/d891b019ab53db3c92685918f349bd84 to your computer and use it in GitHub Desktop.
Save 2oji/d891b019ab53db3c92685918f349bd84 to your computer and use it in GitHub Desktop.
Download ZIP
Set GPG
Raw
VerifyCommitSignatures.md

Procedure to set the GPG.

Short introduction here of signed commits - displaying-verification-statuses

Install the GPG
Show Existing keys
Add GPG Key to github account
Setting local workplace
Signing Commits
Signing Tags
Generate a new GPG key
Telling git about your signing key
Update GPG Key
Debugging
Other useful commands

Install the GPG

gpg --version

gpg (GnuPG) 2.2.4
libgcrypt 1.8.1

Show Existing keys

gpg --list-secret-keys --keyid-format=long

If Keys exist then copy it to Github account

$ gpg --armor --export 3AA5C34371567BD2
# Prints the GPG public key, in ASCII armor format

Add GPG Key to github account

Follow the procedure to Add GPG Key to github account

Setting local workplace

Configure local repository to use GPG by default. Set username and email as per github account

git config --local user.name
git config --local user.email

Set GPG information

gpg --list-secret-keys --keyid-format=long
git config --local user.signingkey 3AA5C34371567BD2
git config --local commit.gpgsign true
git config --local tag.gpgSign true

Signing Commits

To configure your Git client to sign commits by default for a local repository, in Git versions 2.0.0 and above, run git config commit.gpgsign true.
To sign all commits by default in any local repository on your computer, run git config --global commit.gpgsign true.

When committing changes in your local branch, add the -S flag to the git commit command:

$ git commit -S -m "YOUR_COMMIT_MESSAGE"
# Creates a signed commit

$ git push
# Pushes your local commits to the remote repository

Signing Tags

To sign a tag, add -s to your git tag command.

$ git tag -s MYTAG
# Creates a signed tag

Verify your signed tag by running git tag -v [tag-name].

$ git tag -v MYTAG
# Verifies the signed tag

Generate a new GPG key

gpg --full-generate-key
  1. Enter kind of key
  2. Enter key size
  3. Enter validity time as 1w
  4. Enter Any name
  5. Enter email id
    • email id should be virtual email id as of github.
    • Set github virtual email id as git config --local user.email
    • Or any other email <-- this will not work.
  6. Enter passphrase.

Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

#Telling-git-about-your-signing-key

  • Unset the GPG
git config --global --unset gpg.format
  • Show Keys
$ gpg --list-secret-keys --keyid-format=long
/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid                          Hubot <[email protected]>
ssb   4096R/4BB6D45482678BE3 2016-03-10
  • From the list of GPG keys, copy the long form of the GPG key ID you'd like to use. In this example, the GPG key ID is 3AA5C34371567BD2:

To set your primary GPG signing key in Git, paste the text below, substituting in the GPG primary key ID you'd like to use. In this example, the GPG key ID is 3AA5C34371567BD2:

git config --global user.signingkey 3AA5C34371567BD2

Alternatively, you may want to use a subkey. In this example, the GPG subkey ID is 4BB6D45482678BE3:

git config --global user.signingkey 4BB6D45482678BE3

Caution

If you use multiple keys and subkeys, then you should append an exclamation mark ! to the key to tell git that this is your preferred key. Sometimes you may need to escape the exclamation mark with a back slash: \!.

Optionally, to configure Git to sign all commits and tags by default, enter the following command:

git config --global commit.gpgsign true
git config --global tag.gpgSign true

Important

To add your GPG key to your .bashrc startup file, run the following command:

[ -f ~/.bashrc ] && echo -e '\nexport GPG_TTY=$(tty)' >> ~/.bashrc

Update GPG Key

  1. To update email address
  2. User details
  3. ...

Update details in gpg key

gpg --edit-key 3AA5C34371567BD2

gpg> adduid

Real Name: OCTOCAT
Email address: "[email protected]"
Comment: GITHUB-KEY
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

gpg> save

Debugging

  • Standalone validation echo "test" | gpg --clearsign
echo "test" | gpg --clearsign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

test
gpg: signing failed: Inappropriate ioctl for device
gpg: [stdin]: clear-sign failed: Inappropriate ioctl for device

Tip

export GPG_TTY=$(tty) It make it work.

PASS echo "test" | gpg --clearsign

  • Append GIT_TRACE=1 in the beginning of an git command to find internals Below command shows error
GIT_TRACE=1 git commit -S -m "New"
20:12:12.634411 git.c:344               trace: built-in: git commit -S -m New
20:12:12.635410 run-command.c:646       trace: run_command: gpg --status-fd=2 -bsau 57F4FA608D45BAB9
error: gpg failed to sign the data
fatal: failed to write commit object

It stuck here

gpg --status-fd=2 -bsau 57F4FA608D45BAB9
[GNUPG:] KEY_CONSIDERED ECC43CBF86A5676302D329A157F4FA608D45BAB9 2
[GNUPG:] BEGIN_SIGNING H10

Other useful commands

Check log on local system with --show-signature

git log --show-signature
@2oji
Copy link
Author

2oji commented Feb 11, 2025

More information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment