Signing Commits With Gpg
GitLab has a great documentation for signing commits with GPG that describes the process in details. This will be more of a quick reference / cheat sheet.
TL;DR
assuming GPG is installed.
for new commits:
gpg --gen-key
# generate key orgpg --full-gen-key
for more optionsgpg --list-secret-keys --keyid-format LONG $EMAIL
# get KEYID, the 16 alphanumeric string onsec
linegpg --armor --export $KEYID
# export aka print public key- copy the public key. go to GPG Keys · User Settings · e Foundation GitLab. paste the key and click Add key
git config --global user.signingkey $KEYID
# tell git which key to usegit commit -S -m "My commit message"
# test GPG sign commitgit config --global commit.gpgsign true
# tell git to always sign commit with gpggit log --show-signature
# verify it works
for existing commits:
git checkout -b gpg-sign-$YOUR_NAME
# make a branchgit log
# to check the log and select a commit hashgit rebase -i $COMMIT_HASH
# to start interactive rebase orgit rebase -i --root
to start from beginning.:%s/^pick/reword/gc
# replace pick with reword with vimgit commit --amend --no-edit
git rebase --continue
- repeat last 2 steps until rebase is done.
New commits
- Creating a GPG key
- ensure that GPG is installed for the operating system.
- generate your key pair with
gpg --gen-key
orgpg --full-gen-key
- list key with
gpg --list-secret-keys --keyid-format LONG $EMAIL
- take note of the
sec
line. the 16 alphanumeric string is the KEYID - export the public key with
gpg --armor --export $KEYID
- Adding a GPG key to GitLab account
gpg --armor --export $KEYID
should show a long block of text starting with-----BEGIN PGP PUBLIC KEY BLOCK-----
and ending with-----END PGP PUBLIC KEY BLOCK-----
. That is what we need for now.- to add key to GitLab; Sign in to e Foundation GitLab -> In the top-right corner, select your avatar -> Select Edit profile -> On the left sidebar, select GPG Keys -> In Key, paste the public key -> select Add key. Again, add the public key, NOT the private key. On success, it should be like this:
- Associating the GPG key with Git
- assuming the KEYID is known from the previous step, assign the key with the user
git config --global user.signingkey $KEY_ID
- optionally assign GPG program with
git config --global gpg.program gpg2
- assuming the KEYID is known from the previous step, assign the key with the user
- Signing Git commits
- now commits can be with
git commit -S -m "My commit message"
- the
-S
can be skipped by makinggpgsign
flag true withgit config --global commit.gpgsign true
- now commits can be with
- Verifying that signing works
- Go to Commits from Project or MR and it should show either a Verified or Unverified badge, depending on the verification status of the GPG signature like this:
- additionally, signed commits can be check from
git
CLI withgit log --show-signature
Existing commits
What if we need to sign our old, existing commits with GPG? That is possible too. To do that:
- Go to the project you want to sign from
git
CIL - make a branch
git checkout -b gpg-sign-$YOUR_NAME
- See log with
git log
- select a commit where you want to start with
- start an interactive rebase with
git rebase -i $COMMIT_HASH
orgit rebase -i --root
if you want start from begining. - we want to ‘reword’ the commits. so we do
r
for all the commits we want to sign. assuming git commit opensvim
we can do with:%s/^pick/reword/gc
the save withwq
- now start signing with
git commit --amend --no-edit
thengit rebase --continue
and repeat until rebase is done.
Troubleshooting
error: gpg failed to sign the data fatal: failed to write commit object
?- ensure that basic encryption with
gpg
works:echo "test" | gpg --clearsign
- ensure that basic encryption with
- the GPG sign gets lost when the MR is merged, as there is no way to add a GPG key signature on the Web. related issues:
- This seems very Linux specific and needs a lot of CIL command to be used. I would like to use GUI tool to manage the key or achieve the goal.
- Once
git
andgnupg
is installed, the procedure is the same for all environments. Even after that, you fear the CLI, try out a few GUI tools and let us know what worked best by adding it in this wiki. Found this one for Windows: https://github.com/nextcloud/server/wiki/How-to-sign-your-commits-using-PGP
- Once
- I use X IDE. How can I use GPG with it?
- It would be out of scope for this wiki to add the process for all IDEs. If you find any good guide for popular IDE’s like VS Code, JetBrains, please feel free to edit the wiki and extend it.