Setting up GPG signing for Git/GitHub on Windows

Published:

What I did to get from working GPG to green and verified signatures for Git commits and tags on GitHub.

  1. Find the long id of the Signing key we want to use:
πŸ”Ά > gpg --edit-key alice
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub 4096R/AA79CCAE created: 2017-08-23 expires: never usage: SC

trust: ultimate validity: ultimate
sub 4096R/62275E24 created: 2017-08-23 expires: never usage: S πŸ‘ˆ
sub 4096R/4AEA9524 created: 2017-08-23 expires: never usage: E
[ultimate] (1). Alice Person (alice) <alice.person@example.com>
[ultimate] (2) Alice Person (alice) <alice@example.org>

πŸ”Ά gpg> quit

πŸ”Ά > gpg --list-secret-keys --keyid-format LONG alice
sec 4096R/8C0BBECBAA79CCAE 2017-08-23
uid Alice Person (alice) <alice.person@example.com>
uid Alice Person (alice) <alice@example.org>
ssb 4096R/6ADB9D4262275E24 2017-08-23 πŸ‘ˆ
ssb 4096R/33F2E1644AEA9524 2017-08-23
πŸ“ In this case we want 6ADB9D4262275E24
  1. Configure git and (optionally) make it sign commits and tags by default:
πŸ”· > git config --global user.name "Alice Person"
πŸ”· > git config --global user.email "alice.person@example.com"
πŸ”Ά > git config --global user.signingkey "6ADB9D4262275E24"
πŸ”· > git config --global commit.gpgsign true
πŸ”· > git config --global tag.forceSignAnnotated true
πŸ”· > git config --global push.gpgsign if-asked
πŸ”Ά > where gpg

C:\Program Files (x86)\GNU\GnuPG\pub\gpg.exe
πŸ”Ά > git config --global gpg.program "C:/Program Files (x86)/GNU/GnuPG/pub/gpg.exe"
πŸ”Ά > echo no-tty >> %APPDATA%\gnupg\gpg.conf

πŸ“ If repo specific, just skip --global and run the command in the repo instead.

Test it...

  1. Do a commit:
πŸ”· > git init gpg-test
πŸ”· > cd gpg-test
πŸ”· > touch file.txt
πŸ”Ά > git commit -a -m "Signed commit"
[master (root-commit) 2814856] Signed commit
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 file.txt

πŸ“ If not using commit.gpgsign true, one can also use -S to explicitly sign a commit.

  1. Verify commit was signed:
πŸ”· > git log --show-signature
commit 2814856365a07b3deb374f1337258102c06b77ef

gpg: Signature made 08/23/17 06:18:50 W. Europe Daylight Time^M
gpg:                using RSA key 6ADB9D4262275E24^M
gpg: Good signature from "Alice Person (alice) <alice.person@example.com>" [ultimate]^M
gpg:                 aka "Alice Person (alice) <alice@example.org>" [ultimate]^M
Author: Alice Person <alice.person@example.com>
Date:   Wed Aug 23 06:18:48 2017 +0200

    Signed commit
  1. Add a signed tag, using -s:
πŸ”Ά > git tag v1 -m "Signed tag"

πŸ“ If not using tag.forceSignAnnotated true, one can also use -s to explicitly sign a tag.

  1. Verify tag was signed:
πŸ”· > git tag -v v1

gpg: Signature made 08/23/17 06:34:18 W. Europe Daylight Time
gpg:                using RSA key 6ADB9D4262275E24
gpg: Good signature from "Alice Person (alice) <alice.person@example.com>" [ultimate]
gpg:                 aka "Alice Person (alice) <alice@example.org>" [ultimate]
object 53e7f2e637eaf3c47b5dcad30b57be7b6829be02
type commit
tag v1
tagger Alice Person <alice.person@example.com> 1503462856 +0200

Signed tag

Add GPG key to GitHub

  1. Export the public key:
πŸ”Ά gpg -a --export alice > public.txt
  1. Copy it.
  2. Go to GPG keys on GitHub.
  3. New GPG Key.
  4. Paste it.
  5. Add GPG Key.
  6. Pushed commits and tags should now look verified, as in this post:
    GPG signature verification...