DataGenX - Atul's Notes

My scrapbook about almost anything I stumble upon in my tech world. If you find anything useful don't forget to give thumbs-up :)

Breaking

Thursday, February 8, 2024

Home / Commit / Git / github / GPG / Key / sign / SSH / Sign your Github Commit with GPG or SSH Key

Sign your Github Commit with GPG or SSH Key

by on in , , , , , ,
GPG Key is your identity in digital world as there are very rare chances (almost nil) for regeneration of same GPG keys twice, hence you must safe keep your GPG keys as malicious personnel can use this key (if stolen) to represent you. Github allows you to sign your git commits with your GPG key which is to prove that It was you and only you have made this commit. It's pretty straightforward if you followed below steps -

Steps:

  • First. Reset if you have GPG key setup for Git, You can skip this step if not. 
    git config --global --unset gpg.format
  • List your GPG Key/s
    gpg --list-secret-keys --keyid-format=long
    This will display the output as below - 
    > gpg --list-secret-keys --keyid-format=long
/home/atul/.gnupg/pubring.kbx
-----------------------------
sec   ed25519/DC720CCF9BCEDF17 2023-09-08 [SC] [expires: 2026-12-07]
      E4458C3F9BCEDF17CF9BCEDF1728DC720CCF9BCEDF17
uid                 [ultimate] AtulS (Encrypt n Sign Key for AtulS) <dummy@mail.com>
ssb   cv25519/E4458C3F9BCEDF17 2023-09-08 [E] [expires: 2026-12-07]
    Your KEY-ID is DC720CCF9BCEDF17  ( line starts from "sec" ) 

  • Now, Let Git know to use this KEY ID 
    git config --global user.signingkey DC720CCF9BCEDF17

  • Last configure Git to Sign all the commits with this key
    git config --global commit.gpgsign true

    As GPG keys are password protected, Git will ask the GPG key password to sign the commits in each new terminal which is kind of a hassle but this is what it make this more secure. There are some agent tools available which you can use to keep the GPG key open in the terminal, but personally, I will not advise to use those. 

    Below is the screenshot of not-signed and signed git commit - 






                                                                                                                                                                                                                                                                                                                                                   You can use SSH key as well to sign your commits (if don't want to manage one another additional key), All the commands are pretty much same. 
    • # Unset the existing GPG config
git config --global --unset gpg.format

# Use SSH for GPG signing
git config --global gpg.format ssh

# Config the SSH key which sign the commit
git config --global user.signingkey "$(cat $HOME/.ssh/id_ed25519.pub)"

# Enable the commit signing
git config --global commit.gpgSign true

    Now, you can choose which way you want to go, If you are not using GPG keys at all, use SSH way else you know what to do :-) 
            


    Like the below page to get the update  
    Facebook Page      Facebook Group      Twitter Feed      Telegram Group


Author Image

About Atul Singh
I am a Data Consultant at a Canadian financial firm. My keen interests varies from Data Analytics, ML, Kubernetes, NLP to ETL. I love to blog and travel in my spare time. If you’d like to get in touch, feel free to say hello through any of the social links.

Related Posts:
By at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Disclaimer

The postings on this site are my own and don't necessarily represent IBM's or other companies positions, strategies or opinions. All content provided on this blog is for informational purposes and knowledge sharing only.
The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of his information.