Having multiple git accounts, either for personal use and/or having one or more for work, then is really handy to setup GPG keys to singing commits and SSH keys to use git + ssh.
GnupPG (GNU Privacy Guard) is a public key cryptography implementation and allows it to encrypt, sign data and communications.
In the software development world commonly GPG keys are used to sign (verify) our git commits. And why do we want to sign our commits ?
The answer is pretty straight forward. Our emails and names are not private and can be easily to know to everybody and I can use:
git config user.name and
git config user.email with any name and email and commits with those values and from the point of view of git, this is working as intended. Being able to impersonate other committers does not introduce vulnerability because when we want to do
git push GitHub or GitLab would require us to authenticate with the credentials before we could be able to do that. But unsigned commits does not guarantee the following:
– The author is really the person who says in the commit.
– The code change is really what the author wrote without been manipulated.
Signing our commits give us the ability to prove we were the author of our code changes. Also no one can modify our commits in the future or even the metadata such as the time we claimed it was made at.
First thing, we need to install GPG.
Install the latest version.
– On windows, download the Gpg4win from gnupg website.
– On Mac use Home brew:
brew install gpg. Also install pin entry-mac with
brew install pinentry-mac.
Then restart GPG agent:
gpgconf --kill gpg-agent.
This file should be present:
~/.gnupg/gpg-agent.conf with something like this as content:
The path should be where homebrew installed pinentry, the path may differ if you have M1 Macs or intel Macs.
GPG_TTY into your environment variables by adding this line
– Most linux distros come with GPG pre-installed, if not you can find it from their official repositories.
Generate a GPG Key pair
Run the following command:
– Select option 4 (RSA)
– Keysize 4096
– 0 (key does not expire)
Then answer a few questions, Your real name and email address.
After this you are going to be asked to type a passphrase which is used to encrypt your secret key. This is very important and you should fill the passphrase and not leave it empty. Otherwise hackers could steal your secret and then they’ll be able to signing commits pretending to be you.
To verify the keys you have created, run:
gpg --list-secret-keys --keyid-format LONG
gpg –list-keys –keyid-format LONG
gpg --list-keys --keyid-format LONG /Users/ffgm/.gnupg/pubring.kbx ------------------------------ pub rsa4096/F2B0CF302345F4239 2022-02-09 [SC] 4A0BD48948DBF4654F8E149CE1B9FF30654F4389 uid [ultimate] Your Name <firstname.lastname@example.org> sub rsa4096/F2B0CF302345F4239 2022-02-09 [E]
To test gpg is working you can run
echo "hello test" | gpg --clearsign to signing
Configure Git to sign your commits
~/.gitconfig should look like this:
[commit] gpgsign = true [user] useConfigOnly = true [includeIf "gitdir:/Users/ffgm/personal/"] path = ~/.gitconfig.personal [includeIf "gitdir:/Users/ffgm/workspace/"] path = ~/.gitconfig.workspace
gpgsign enabled enforce the commit signing on every commit.
includeif is for separate our configuration depending on what folder are we working on. If I’m in
~/ffgm/personal then the personal configuration is going to be used. Meaning git is going to use the personal gpg signing key.
useConfigOnly prevents git from guessing name and email and forces it to read it from the configuration files. If the email is missing, git will complain when you try to do a
[user] email = email@example.com name = Your Name signingKey = <PERSONAL GPG SIGNING KEY ID> [url "firstname.lastname@example.org"] insteadOf = email@example.com
[user] signinkey = <WORK SIGN IN KEY> name = Your Name email = firstname.lastname@example.org [url "email@example.com"] insteadOf = firstname.lastname@example.org
Make sure to upload the gpg key into gitlab, GitHub or whatever is your git provider.
gpg --armor --export YOUR-KEY it will give you your public key to copy and pasted in your git provider.
To generate ssh keys run the following command: `ssh-keygen -t ed25519 -C “email@example.com”.
You can use other algorithms but ed25519 is the recommended one.
Host gitlab.com-personal PreferredAuthentications publickey HostName gitlab.com User personal-gitlab-user IdentityFile ~/.ssh/personal_id_ed25519 Host gitlab.com-workspace PreferredAuthentications publickey HostName gitlab.com User work-gitlab-user IdentityFile ~/.ssh/workspace_id_ed25519 Host * AddKeysToAgent yes IdentitiesOnly yes PreferredAuthentications publickey Compression yes UseKeychain yes
Is important to not change the order of the configuration.
Also you need to upload the
ssh key into your preferred git provider.
Once you have set up gpg and ssh you can see your commits with the verified label: