Tag Archives: GitHub

Setting up GPG signing for Git/GitHub on Windows

What I did to get from working GPG to green and verified signatures for Git commits and tags on GitHub.

  1. Find the long id of the Signing key we want to use:
    🔶 $ gpg --edit-key alice
    gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Secret key is available.

    pub  4096R/AA79CCAE  created: 2017-08-23  expires: never       usage: SC
                         trust: ultimate      validity: ultimate
    sub  4096R/62275E24  created: 2017-08-23  expires: never       usage: S 👈
    sub  4096R/4AEA9524  created: 2017-08-23  expires: never       usage: E
    [ultimate] (1). Alice Person (alice) <alice.person@example.com>
    [ultimate] (2)  Alice Person (alice) <alice@example.org>

    🔶 gpg> quit

    🔶 $ gpg --list-secret-keys --keyid-format LONG alice
    sec   4096R/8C0BBECBAA79CCAE 2017-08-23
    uid                          Alice Person (alice) <alice.person@example.com>
    uid                          Alice Person (alice) <alice@example.org>
    ssb   4096R/6ADB9D4262275E24 2017-08-23 👈
    ssb   4096R/33F2E1644AEA9524 2017-08-23

    Note: So in this case we want 6ADB9D4262275E24

  2. Configure git and (optionally) make it sign all commits by default:
    🔷 $ git config --global user.name "Alice Person"
    🔷 $ git config --global user.email "alice.person@example.com"
    🔶 $ git config --global user.signingkey "6ADB9D4262275E24"
    🔷 $ git config --global commit.gpgsign true
    🔷 $ git config --global push.gpgsign if-asked
    🔶 $ where gpg
    C:\Program Files (x86)\GNU\GnuPG\pub\gpg.exe
    🔶 $ git config --global gpg.program "C:/Program Files (x86)/GNU/GnuPG/pub/gpg.exe"

    Note: If repo specific, just skip --global and run the command in the repo instead.

Test it…

  1. Do a commit:
    🔷 $ git init gpg-test
    🔷 $ cd gpg-test
    🔷 $ touch file.txt
    🔶 $ git commit -a -m "Signed commit"

    You need a passphrase to unlock the secret key for
    user: "Alice Person (alice) <alice.person@example.com>"
    4096-bit RSA key, ID 62275E24, created 2017-08-23 (main key ID AA79CCAE)

    [master (root-commit) 2814856] Works...?
     1 file changed, 0 insertions(+), 0 deletions(-)
     create mode 100644 file.txt

    Note: One can also use the the -S option as alternative to using the commit.gpgsign true config, but as a forgetful person, I’d advice against that… Either set the config globally, or for the specific repo you need it for.

  2. Verify commit was signed:
    🔷 $ git log --show-signature
    commit 2814856365a07b3deb374f1337258102c06b77ef
    gpg: Signature made 08/23/17 06:18:50 W. Europe Daylight Time^M
    gpg:                using RSA key 6ADB9D4262275E24^M
    gpg: Good signature from "Alice Person (alice) <alice.person@example.com>" [ultimate]^M
    gpg:                 aka "Alice Person (alice) <alice@example.org>" [ultimate]^M
    Author: Alice Person <alice.person@example.com>
    Date:   Wed Aug 23 06:18:48 2017 +0200

        Signed commit
  3. Add a signed tag, using -s:
    🔶 $ git tag -s v1 -m "Signed tag"

    You need a passphrase to unlock the secret key for
    user: "Alice Person (alice) <alice.person@example.com>"
    4096-bit RSA key, ID 62275E24, created 2017-08-23 (main key ID AA79CCAE)

    Note: Unfortunately, unlike for commits, there is no tag.gpgsign true config as of writing, so to sign tags the -s option has to be remembered.

  4. Verify tag was signed:
    🔷 $ git tag -v v1
    gpg: Signature made 08/23/17 06:34:18 W. Europe Daylight Time
    gpg:                using RSA key 6ADB9D4262275E24
    gpg: Good signature from "Alice Person (alice) <alice.person@example.com>" [ultimate]
    gpg:                 aka "Alice Person (alice) <alice@example.org>" [ultimate]
    object 53e7f2e637eaf3c47b5dcad30b57be7b6829be02
    type commit
    tag v1
    tagger Alice Person <alice.person@example.com> 1503462856 +0200

    Signed tag

Add GPG key to GitHub

  1. Export the public key:
    🔶 $ gpg -a --export alice > public.txt
  2. Copy it.
  3. Go to GPG keys on GitHub.
  4. New GPG Key.
  5. Paste it.
  6. Add GPG Key.
  7. Pushed commits and tags should now look verified, as in this post: GPG signature verification

Sources: help.github.com, StackOverflow, git-scm.com

Edit composer dependencies “inline” while developing

Have a PHP project, and want to re-use some classes in a new project. Moving them to their own repository and turning them into a Composer dependency is a clean way to do that. If hosted on GitHub/BitBucket, it’s even simply to be a bit more proper and fancy by publishing the package on Packagist with automatic updates based on git tags. However, if still heavily developing both the project and the dependency, the round trip through repo/packagist is a pain.

But today I discovered there’s an option called --prefer-source which seems to solve most of this pain. And here’s a basic note-to-self on how to get that to work…

0. Make sure dependency is a composer dependency

// Dependency composer.json
    "name": "my/package",
        "psr-4": {"": "src/"}

1. Add dependency repo and package to root project

// Root project composer.json
        {"type": "vcs", "url": "https://github.com/username/my-project"}
        "my/project": "dev-master",

2. Run update with –prefer-source

$ composer require my/package dev-master --prefer-source

We should now have the package downloaded and, more importantly, if you check ./vendor/my/package it should have the .git directory, meaning you can make immediately working changes there directly, and commit when you’re happy… Our other root project(s) depending on it should then get the update from the source repository after an easy composer update. 👍

Note: I’m a bit fuzzy on what composer does to keep track on whatever different happens through --prefer-source, and it’s an option for both composer install and composer update. For example, at first attempt, I tried to use composer update --prefer-source on a dependency that had already been downloaded, and the .git directory did not turn up, but if I just deleted the vendor directory for that package and then re-ran the command, then the .git was there.

So, feel free to comment if you have some light on that topic 😛🤓

Simple automated website deployment via GitHub

Here is a very simple way to add automatic deployment via GitHub. This assumes

  • You have shell access to your web host
  • Your website is in a repository on GitHub
  • CGI scripts are enabled for your website
  • That git (and optionally composer if you use that) is installed

Initial pull

Log on to your web host and do the initial pull.

$ cd path/to/website
$ git clone https://github.com/<you>/<website>.git .

Deployment script

Put the following script in a file named for example deploy.cgi in your website root.

echo Content-type: text/plain

export PATH=~/bin/:$PATH

git pull
composer.phar install
echo DONE
I’m on Dreamhost and the export line is so the cgi script will use the composer.phar and php symlink located in ~/bin. See this post for more info.

Add execute rights to the script.

$ chmod u+x deploy.cgi

You should now be able to visit http://<your-website>/deploy.cgi in your browser and see output like this:

Already up-to-date.
Loading composer repositories with package information
Installing dependencies from lock file
Nothing to install or update
Generating autoload files

Set up GitHub service hook

Go to https://github.com/<you>/<website>/settings/hooks, click on WebHook URLs and enter the full URL to your script, http://<your-website>/deploy.cgi

Test it out

With this set up you should be able to make a change at your dev machine, commit it and push it to GitHub. The script should then be executed shortly after and your website should be updated automatically. Pretty cool 🙂

This is of course ultra simple, and if this is a critical site you should probably add some security of some sort. A simple version could be to use a cryptic name like a guid for the script and of course not have this script checked in at GitHub. You might also perhaps want to only pull from a certain branch or things like that, but for a small simple site this works pretty well as long as you remember to only push to GitHub when you have a working set of commits 😉