git: Signing commits
Contents
Git allows verification that work is from trusted or known sources by way of signed commits.
SSH setup
Firstly, if you don’t have this setup already, to access git from the command line using an ssh key, simply ensure the ~/.ssh/config file includes the key you want to use in an IdentityFile value. For example…
| |
You’ll need to add that key to your github account too. See Adding a new SSH key to your GitHub account
GPG setup
check available keys
1 2 3 4 5 6 7gpg --list-secret-keys --keyid-format LONG # ~/.gnupg/pubring.gpg # ------------------------------------- # sec rsa4096/876EA2A69C6C55F0 2018-07-10 [SC] # 0C10A2A69C19DC0D3806A51435C1336C876E55F0 # uid [ultimate] Your Name <[email protected]> # ssb rsa4096/F5C5F988807BAACF 2018-07-10 [E] [expires: 2021-01-10]add knowledge of the key to git
1 2 3git config --global user.signingkey 0C10A2A69C19DC0D3806A51435C1336C876E55F0 # set to always sign commits !!! git config --global commit.gpgsign trueto test
1echo "test" | gpg --clearsign[Optionally] to remove a passphrase from the key
Issue the command, then type
passwdin the prompt. It will ask you to provide your current passphrase and then the new one. Just hitEnterfor no passphrase. Then typequitto quit the program.1 2 3 4 5 6 7 8 9 10 11 12 13gpg --edit-key <keyid> ┌────────────────────────────────────────────────────────────────┐ │ Please enter the passphrase to unlock the OpenPGP secret key: │ │ "Your Name <[email protected]>" │ │ 4096-bit RSA key, ID 876EA2A69C6C55F0, │ │ created 2018-07-10. │ │ │ │ │ │ Passphrase: __________________________________________________ │ │ │ │ <OK> <Cancel> │ └────────────────────────────────────────────────────────────────┘