A Guide to Sign Your GitHub Commits: Ensure Integrity and Traceability
5 min read
Introduction
Signing GitHub commits is essential for preserving the integrity and verifying authorship in open-source contributions. Discover how to add cryptographic signatures to your commits, ensuring tamper-proof records and establishing trust within the open-source community.
There are two methods for signing commits: GPG keys and SSH keys. In this article, we will focus on the GPG keys method.
To sign commits using GPG keys, you must generate and add a key to your GitHub account.
GPG Key Generation
- Check if GPG is installed
gpg --help
If you encounter a menu, it means the installation is done. In case the menu is not visible, execute the following steps:
sudo apt-get install gnupg
- Check key availability
gpg --list-keys
If you are seeing this
warning: unsafe permissions on homedir
Then to update the permissions on the home directory:
chmod 0700 GNUPGHOME/.gnupg
3. Now start generating the key
gpg --full-generate-key
4. When generating the key for signing and encrypting, select the default option (1) RSA and RSA (default).
5. When it comes to selecting a keysize, it's crucial to prioritize security to avoid any potential compromises. To ensure robust protection for your key, it's advisable to opt for a larger value, as opposed to a smaller one. In this case, let's consider selecting a generous keysize of 4096 bits. It's important to note that generating such a substantial key will require some additional time due to its size.
6. When managing your keys, it is crucial to select an appropriate expiration date. In our CLI (Command Line Interface), you have the option to set the expiration date to 0, which means the key will never expire. However, for enhanced security measures, we recommend setting an expiration date of 1 year by typing "1y" in the CLI.
7. To confirm, please select 'Y'.Provide your real name, which should match your GitHub account, and the email address associated with your GitHub account. You will then be prompted to leave a comment (optional). If everything is satisfactory, type 'O' and press Enter.
8. Now set up a passphrase, this is very important. Save it somewhere safe after setting it up. then the prompt will ask to reenter the passphrase again, do that.
9. Now this message will be shown public and secret key created. Now to check for keys
gpg --list-keys
Your key will now show up here.
10. Expiration date update: Now if you want to update the expiration date
gpg --edit-key your_email@example.com
Now, another prompt will appear. Here let's assume it's the first key so type key 0 then type expire. The prompt will ask for key is valid for? . You type here the time after which you want this key to expire. For 1-year type 1y, for 2 years type 2y, now confirm it. Again the passphrase has to be given here. Now you will notice that the expiration date is updated but it didn't write it to disk yet. So you have to save it. Type save in the prompt.
11. Passphrase update: If you want to change your passphrase
gpg --passwd your_email@example.com
First, enter the current passphrase then enter the new passphrase. and your passphrase is changed.
12. Revoke Certificate: If your GPG key is compromised and you want the key to expire before the expiration date or the very next day then a revoke certificate has to be created. From GnugPG 2.1, the revoke certificate is generated by default when your GPG key is generated. To revoke your GPG key
gpg -- import example.asc
Now if you list your keys, the [revoked] badge will appear against your key.
Add GPG key to GitHub Account
a) To upload your public key to GitHub, begin by typing it in the CLI
gpg --export --armor your_email@example.com
b) Now a public key block will appear. like this
-----BEGIN PGP PUBLIC KEY BLOCK----
kjbGKkwwhjiwooohwhwoeofhhh
-----END PGP PUBLIC KEY BLOCK-------
c) Copy the entire key.
d) Go to the GitHub website and log in to your account.
e) Navigate to the 'Settings' section.
f) Find and select the 'GPG Key' option.
g) Paste your GPG key into the provided field.
h) Save your changes.
Sign Commits with GitHub Codespaces
GitHub codespaces can be configured such that any commits made from the codespaces will be automatically signed. After generating the GPG key pair follow the steps.
a) Go to the GitHub website and log in to your account.
b) Navigate to the 'Settings' section.
c) Under the 'Code, planning, and automation' section choose Codespases
d) Under GPG verification click "Enable".
e) Under the "Trusted repositories" section you can choose all repositories or specific repositories that you trust.
Now all the commits made from the codespaces will be signed automatically and the verified badge will appear beside every commit.
Sign Commits from Linux CLI
a) Configure the user name
git config --global user.name "Your_Github_User_Name"
b) Configure the user email
git config --global user.email "Your_Github_Email_ID"
c) To configure the signing key first copy the "Key ID" from your generated GPG key. Then run
git config --global user.signingkey your_key_id
d) Configure git such that all commits are automatically signed
git config --global commit.gpgsign true
e) Sign your tags as well
git config --global tag.gpgsign true
f) We need to specify where the GPG program is. To do that type
where gpg
g) Then type
git config --global gpg.program "location_of_gpg_program"
h) Now the configuration is set to check for the configuration
git config --global --list
The configuration will show up. Now if you do a commit and push it, the verified batch will show up beside your commit.
Sign Commits from Windows
For Windows, there are some prerequisites. Those are GPG and Git.
a) To download gpg, go to www.gpg4win.org and download "Gpg4win".
b) Install it on Windows. Now download git and install it.
c) Clone the repo from GitHub where you want to make your signed commits.
d) Open Powershell and go to the file that you cloned. Make sure you have git installed and configured.
e) Now follow all the steps previously mentioned from generating the GPG key through Sign Commits from Linux CLI.
Now if you commit from Windows a verified badge will show up beside your commits.
Conclusion
I hope this quick article has provided an overview of signing the git commits.
Here are some additional resources to explore signing git commits further.
https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits