Signed commits allow others to trust that changes you’ve made really are made by you.
To acheive this using GPG you will need an existing key, or to generate a new one, and to configure your GitHub account with your new key. Its also a massive life saver to auto-sign commits, as typing passwords every 10 minutes isn’t much fun!
Install GPG and GPG Agent packages
On OSX, gpg and gpg-agent can be installed using Homebrew:
brew install gpg gpg-agent
Generate a GPG key
To generate a new key, enter the following gpg command into a terminal, along with your real name, email and passphrase when prompted. (NB: Use a unique password here and not one associated with any other account, as this passphrase will be stored later within your .bashrc file)
gpg --default-new-key-algo rsa4096 --gen-key
Adding the GPG key to your GitHub account
Following instructions on the following link, will guide to you on how to export your public key for use with your github account.
https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/
Updating .bashrc to preset your passphrase
In order to benefit from auto-signed commits without a passphrase prompt, we’ll need to preset our passphrase with the gpg-agent which caches it for later use and allowing github commits to function seamlessly.
The following code to be pasted into your ~/.bashrc
file, will set your git config with a signing key, remove any existing gpg-agent processes and then
finally start a new gpg-agent with your passphrase preset:
# github auto-signed commits
export GPG_SIGNING_KEY=<ADD_GPG_SIGNING_KEY_HERE>
export GPG_PASSPHRASE=<ADD_GPG_PASSPHRASE_HERE>
export GPG_PRESET=<ADD_GPG_PRESET_HERE>
export GNUPGPATH=/usr/local/Cellar/gnupg/2.2.9/libexec
export PATH="$PATH:$GNUPGPATH"
export GPG_TTY=$(tty)
git config --global user.signingkey $GPG_SIGNING_KEY
git config --global commit.gpgsign true
pkill gpg-agent
eval $(gpg-agent --daemon --allow-preset-passphrase --default-cache-ttl 1 --max-cache-ttl 31536000)
gpg-preset-passphrase -P "$GPG_PASSPHRASE" --preset $GPG_PRESET
Replacing GPG_PASSPHRASE
Replace <ADD_GPG_PASSPHRASE_HERE>
in the .bashrc file with your unique passphrase.
Replacing GPG_SIGNING_KEY
and GPG_PRESET
In a terminal, enter:
gpg --fingerprint --list-secret-keys --with-keygrip --keyid-format LONG
output:
We can find the signing key after rsa4096/
(e.g 92E95393EDB7921F
above), and use this value to replace <ADD_GPG_SIGNING_KEY_HERE>
in the .bashrc file.
Also the Keygrip
value (e.g 8797FD2EAABD7314AEEB0D71F46B22619508E672
) can be found above the key created using your name/email, and it should replace <ADD_GPG_PRESET_HERE>
in the .bashrc file.
Finally
Save your .bashrc file and close/reopen your bash terminal, and navigate to a repository and commit changes with the -S
flag.
git commit -S -am "Testing GH signed commit"
..and your commits should now be auto-signed, and trusted!
Comments