Sign your Git commits with PGP

published on in category Git , Tags: Git PGP

Table of contents

In the last days I tinkered a bit with things in Git that I haven’t tried yet. One was signed commits. Signed commits help other people to know that it’s actually you who committed changes. So when people trust you as a person, they can also trust your code because they can verify that it’s been actually done by you.

It’s pretty easy to set up and once configured, everything else will just happen automatically.

Install GPG

I’m on a Mac so I installed GPGSuite. It comes with a graphical interface as well as all necessary command-line tools. On Linux you can just install gpg through your favorite package manager.

Generate a key pair

I used the graphical GPG Keychain tool to create a set of keys specifically for my usage with Git.

GPG Keychain

After creation of the key you can find it’s fingerprint in the details pane:

GPG key details

Configure Git

Now that you have your private and public keys in your GPG keychain, you can use the fingerprint of that key to tell Git to use this to sign off your work::

git config --global user.signingkey 901E12802397434F90C97253071B48AAEVCE696E
git config --global commit.gpgSign true

You can of course do this on a per-project basis, omitting the --global.

Configure GitHub / Gitlab account

After configuring this in the first place and trying to commit something, I was a bit upset not seeing that green lock symbol on GitHub and Gitlab. This is because the email address of your key needs to match the primary email address of your account and it needs to be verified. You can do this in your account settings. Afterwards everything should work just fine.

That’s it! Now you’re ready to sign your commits.