How to Verify Your Commits
Anyone can be anyone when it comes to commits. For example, here is a commit where ””Linus Torvalds”” deletes Linux. I put this document together for myself a while back, but I thought I would share it with other people who want a straightforward guide to setting up commit signing with GPG.
Instructions
- Install gpg
brew install gnupg2(orsudo apt-get install gnupg2, etc) - Generate the key with
gpg --full-generate-key(the default type is probably fine) - Make sure it is at least
4096bits - Make sure you use your Github no-reply email or an email provided to your Github account.
- Get the signing key by running
gpg --list-secret-keys --keyid-format=long
- In the following list, the signing key is
3AA5C34371567BD2
sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid Hubot
ssb 4096R/42B317FD4BA89E7A 2016-03-10- Get your public key by running
gpg --armor --export YOUR-SIGNING-KEY-HERE | pbcopy - Add your gpg key to your Github key settings
- Turn on Vigilant mode at the bottom of that page.
- Add your signing key to your Git config
git config --global user.signingkey YOUR-SIGNING-KEY-HERE - To sign all commits run
git config --global commit.gpgsign true - Add the GPG export to your zshconfig
echo 'export GPG_TTY=$(tty)' >> ~/.zshrc;
For Mac
- Mac: You can let Keychain manage your pin entry by running
brew install pinentry-mac - Tell gpg about it with
echo "pinentry-program $(which pinentry-mac)" >> ~/.gnupg/gpg-agent.conf - Restart gpg agent
killall gpg-agent
Backup Key
- Export the public key
gpg --export -a YOUR-SIGNING-KEY-HERE > gpg-public.asc - Export the private key
gpg --export-secret-keys -a YOUR-SIGNING-KEY-HERE > gpg-secret.asc - You now should have two files
gpg-public.ascandgpg-secret.ascin your current directory
Restore Key
- Import the public key
gpg --import gpg-pub.asc - Import the secret key
gpg --import gpg-sc.asc
