How to sign your Github Commits ?

In this blog , we are going to see how we can sign your Github commits and get the verified sign when you commit your code.

Before jumping on to the how part of this blog. Lets quickly see why we have to sign our commit message.

Introduction:

When we are committing a piece of code via Pull request to a repository. how does the open source repository maintainer can know that you are who you say you are ?

You might have question, When I setup my git client in my machine I am configuring name , email address and personal token, also when I commit something via PR my email address is displayed in the commit message. What more they need to verify ?

Hold that thought !!!

Lets just say user A has mail address of [email protected] is regular contributor of open source repository. All I have to do his configure his name and email in my email with git config command and I can open a sketchy PR which will have higher possibility of getting merged.

By regularly signing the commits, OSS maintainer can be sure you are the author for the committed code change.

Now that we have established , it is easy to impersonate someone. Lets see how we can sign the commits.

We will be signing our commit with help of GPG key. GnuPG uses a system of public and private keys for the encryption and signing of messages.

Setting up the GPG key:

If you are using mac os , open up your terminal and enter the following to install GPG.

brew install gnupg gnupg2

You can verify it with following command.

gpg --versiongpg (GnuPG) 2.3.4libgcrypt 1.10.0Copyright (C) 2021 Free Software Foundation, Inc.License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.Home: /Users/karthikeyan.shanmuga/.gnupgSupported algorithms:Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSACipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,        CAMELLIA128, CAMELLIA192, CAMELLIA256AEAD: EAX, OCBHash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224Compression: Uncompressed, ZIP, ZLIB, BZIP2

For windows , Visit this link to download and install gpg executable to get started.

Generating the GPG key:

• Run the following command to generate your GPG key.

gpg --full-generate-key

You will get the following prompts as mentioned in the screenshot

• We will go with default prompt for selecting the algorithm ( RSA and RSA ). The key size should be 4096, we will be entering the same. For the expiry time, I am going to go with never expiry ( 0 ) , you can also go with expiry time to be 2 years.

• Now we need to enter the personal details

Note: When asked to enter your email address, ensure that you enter the verified email address for your GitHub account.

• Cross check the details and hit confirm.
• Enter the passphrase

• Once you entered the passphrase twice , you should see the key printed in your terminal.

• Use the gpg --list-secret-keys --keyid-format=long command to list the long form of the GPG keys for which you have both a public and private key. A private key is required for signing commits or tags.

• From the list of GPG keys, copy the long form of the GPG key ID you'd like to use. In this example, the GPG key ID is3AA5C34371567BD2:
  

gpg --list-secret-keys --keyid-format=long/Users/karthikeyan.shanmuga/.gnupg/pubring.kbx----------------------------------------------sec   rsa4096/006776222903545 2022-05-13 [SC]      76293F4E68EDF0BAQEFAASCCSC5A0F713C2EC0uid   [ultimate] karthikeyan <[email protected]>ssb   rsa4096/0067762AB2903545 2022-05-13 [E]

• Paste the text below, substituting in the GPG key ID you'd like to use. In this example, the GPG key ID is006776222903545:

gpg --armor --export 006776222903545# Prints the GPG key ID, in ASCII armor format

Note: The one which you are seeing is not a valid key. Please use the key which you see in your terminal.

• Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK----- and keep it safe.

Adding the Key to Github :

Let's add the key to your Github account.

1. Login to your github account and go to settings and navigate to this link.
2. click on new GPG key and paste in the key and click on add GPG key

Signing the commit message

• Get generated key by executing: gpg --list-keys

/Users/karthikeyan.shanmuga/.gnupg/pubring.kbx----------------------------------------------pub   rsa4096 2022-05-13 [SC]      76293F4E68EDF0BAQEFAASCCSC5A0F713C2EC0uid           [ultimate] karthikeyan <[email protected]>sub   rsa4096 2022-05-13 [E]

Note: This is not valid key. Please use the key which you see once you execute the command.

• Set the key here git config --global user.signingkey <Key from your list>

• Based on the example the command will look something like this
  

git config --global user.signingkey 76293F4E68EDF0BAQEFAASCCSC5A0F713C2EC0

• Running this git config --global commit.gpgsign true command will set the signing of your commits by default

• Finally , when you run git commit -S -m 'commit message' , it will ask for your passphrase and boom you will be able to successfully sign your commit message.

• Run this command git log --show-signature to verify that your commit has been signed with your public key

References and Resources:

1. Github docs
2. How and why to sign github commits

Conclusion

That's pretty much it. Thank you for taking the time to read the blog post. If you found the post useful , add to it and let me know in the comment section if I have missed something.

Feedback on the blog is most welcome.

Social Links:

Twitter
Showwcase