"Why do I need to sign my git commit?":
- Authentication: verifies that one is responsible for the commit.
- Integrity: create a commit signature that detects post-commit modification.
- Non-repudiation: prevents one from denying authorship of who signed the commits.
- Attack mitigation: prevents spoofing.
Prerequisites:
- A computer with operating system.
- A basic git knowledge, check Wikipedia Git or
man git. - An email address that is used in a git hosting site.
Table of Contents:
Windows: gpg4win Most Linux systems would have gpg already installed. If not, you have to install it with your specific distribution package manager.
gpg --full-gen-keyPlease select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(14) Existing key from card
Your selection?
Go with the default, it's the most secure and featureful (press
enter).
Please select which elliptic curve you want:
(1) Curve 25519 *default*
(4) NIST P-384
(6) Brainpool P-256
Your selection?
Go with the default, it's the most secure (press
enter).
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Go with the default (press
enter), unless you want the hassle of creating new gpg key from time to time. And then pressyandenterto confirm your choice.
GnuPG needs to construct a user ID to identify your key.
Real name: Gregory Watson III
Email address: gregthird@watson.co.uk
Comment:
You selected this USER-ID:
"Gregory Watson III <gregthird@watson.co.uk>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
Fill up the information, especially the email address, you can match your real name to your set email address fulll name. Type
Oand thenenter.
It will prompt you to enter a secure password and repeat it to confirm. You have to put a secure one and remembers it.
If you only have one git hosting site account:
git config --global user.name "Gregory Watson III"git config --global user.email gregthird@watson.co.ukgit config --global user.signingkey gregthird@watson.co.ukIf you only have more than one GPG, by that means other git hosting site accounts:
In your directory of cloned remote git repository:
git config user.name "Gregory Watson III"git config user.email gregthird@watson.co.ukgit config user.signingkey gregthird@watson.co.ukYou can adjust the rest of the guide to your condition.
git config --global commit.gpgsign truegit config --global --listYour git config should be something like this:
user.name=Gregory Watson III
user.email=gregthird@watson.co.uk
user.signingkey=gregthird@watson.co.uk
commit.gpgsign=true
On GitHub: Your Avatar > Settings > SSH and GPG keys > New GPG key
You can check the Flag unsigned commits as unverified option in Vigilant mode, "This will include any commit attributed to your account but not signed with your GPG or S/MIME key. Note that this will include your existing unsigned commits."
On Codeberg: Your Avatar > Settings > SSH / GPG keys > Add key
You can verify your newly added GPG key with Codeberg's key verification method.
-
Make changes to your git repository contents.
-
git addAssuming you already in your working repository:
git add .git commitCommit with-Soption
git commit -S -m "<your message>"You will be prompted to fill your GPG key password once per your machine boot.
git push
git pushAdjust it to your specific options of git push