So i got myself a MacBook PRO and finally made the switch to Mac world after a long time being a Windows user.
One of the things i have been meaning to do was to GPG sign my git commits. Setting up my new MacBook proves to be the perfect time and finally, i did it.
The web has a number of tutorials that shows how to sign git commits with GnuPG (GPG) but none with GPG version 2.
In this tutorial, i will be showing us how to sign Git commits and tag with GPG2.
FWIW, my Mac was running OSX Yosemite 10.10.3 at the time of writing. I am quite sure the guide below is pretty much the same for OSX 10.10 and greater.
For windows users, you should be able to follow this guide too. No? let me know in comments and I will see what I can do to help.
Ready? Let’s Go
Firstly, download and install GPG2 command line tools if you don’t have one installed already in your machine. You can test by running gpg2 command in terminal.
Open terminal
Run this command to generate a GPG key pair.
gpg2 --gen-key
You will be asked to enter your name, email address. Ensure the email address matches your GitHub email address if you want Github to show your commits as verified otherwise ignore this advice.
To save your entry, type letter “O” and hit enter/return. You will be asking for a passphrase to continue. The passphrase will come in handy when signing your commits.
You should now see your GPG info displayed as follows:
pub rsa2048 2016-06-27 [S]
89456D5E759E1A6AEEAF590AEDC2699358643879
uid [ultimate] Collins Agbonghama <[email protected]>
sub rsa2079 2016-06-27 []
Run the command below to output your GPG key, substituting in your GPG key ID. Our tutorial generated GPG key ID is 89456D5E759E1A6AEEAF590AEDC2699358643879.
gpg2 --armor --export 89456D5E759E1A6AEEAF590AEDC2699358643879
Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.
Login to your GitHub account. In the top right corner of any page, click your profile photo, then click Settings.
Click SSH and GPG keys menu.
Click New GPG key.
In the “Key” textarea, paste the GPG key you copied earlier and save.
Telling Git about your GPG key
If you have forgotten your key ID, you can always retrieve it by running gpg2 --list-secret-keys command.
To set your GPG signing key in Git, run the command below, substituting in the GPG key ID you’d like to use. In this example, the GPG key ID is 89456D5E759E1A6AEEAF590AEDC2699358643879.
git config --global user.signingkey 89456D5E759E1A6AEEAF590AEDC2699358643879
Signing commits and Tags using GPG
To sign your Git commits with GPG, add the -S flag to the git commit command like so:
git commit -S -m "your commit message"
To sign a tag, add -s flag to your git tag command like so:
git tag -s testtag
After you create your commit and/or tags, provide the passphrase you set up when you generated your GPG key.
When you’ve finished creating commits locally, run the command below to push your commits and tag to your remote repository on GitHub.
git push --follow-tags
Go to the tag and commit description page, you should now see the verified badge.
Common Problem and Solutions
If you got an error similar to the message below when trying to sign a Git commit or tag, the error is as a result of Git not able to find GPG in your machine.
error: cannot run gpg: No such file or directory error: could not run gpg.
Mind you, we installed GPG2 and not the version 1.x which by default is in /usr/local/bin/gpg2. Apparently, Git was looking into /usr/local/bin/gpg which doesn’t exist.
Running the command below explicitly tell Git where to find GPG.
git config --global gpg.program /usr/local/bin/gpg2
Automatically Signing Your Git Commits
You can configure Git to automatically sign your commits (and tags) without specifying the -S (and -s) flags by running git config --global commit.gpgsign true or adding the following to ~/.gitconfig
[commit]
gpgSign = true
Conclusion
I suck at writing conclusion. Please make do without one.