What I did to get from working GPG to green and verified signatures for Git commits and tags on GitHub.
- Find the long id of the Signing key we want to use:
🔶 > gpg --edit-key alice
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/AA79CCAE created: 2017-08-23 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/62275E24 created: 2017-08-23 expires: never usage: S 👈
sub 4096R/4AEA9524 created: 2017-08-23 expires: never usage: E
[ultimate] (1). Alice Person (alice) <alice.person@example.com>
[ultimate] (2) Alice Person (alice) <alice@example.org>
🔶 gpg> quit
🔶 > gpg --list-secret-keys --keyid-format LONG alice
sec 4096R/8C0BBECBAA79CCAE 2017-08-23
uid Alice Person (alice) <alice.person@example.com>
uid Alice Person (alice) <alice@example.org>
ssb 4096R/6ADB9D4262275E24 2017-08-23 👈
ssb 4096R/33F2E1644AEA9524 2017-08-23Note: So in this case we want
6ADB9D4262275E24 - Configure git and (optionally) make it sign commits and tags by default:
🔷 > git config --global user.name "Alice Person"
🔷 > git config --global user.email "alice.person@example.com"
🔶 > git config --global user.signingkey "6ADB9D4262275E24"
🔷 > git config --global commit.gpgsign true
🔷 > git config --global tag.forceSignAnnotated true
🔷 > git config --global push.gpgsign if-asked
🔶 > where gpg
C:\Program Files (x86)\GNU\GnuPG\pub\gpg.exe
🔶 > git config --global gpg.program "C:/Program Files (x86)/GNU/GnuPG/pub/gpg.exe"
🔶 > echo no-tty >> %APPDATA%\gnupg\gpg.confNote: If repo specific, just skip
--globaland run the command in the repo instead.
Test it…
- Do a commit:
🔷 > git init gpg-test
🔷 > cd gpg-test
🔷 > touch file.txt
🔶 > git commit -a -m "Signed commit"
[master (root-commit) 2814856] Signed commit
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 file.txtNote: If not using
commit.gpgsign true, one can also use-Sto explicitly sign a commit. - Verify commit was signed:
🔷 > git log --show-signature
commit 2814856365a07b3deb374f1337258102c06b77ef
gpg: Signature made 08/23/17 06:18:50 W. Europe Daylight Time^M
gpg: using RSA key 6ADB9D4262275E24^M
gpg: Good signature from "Alice Person (alice) <alice.person@example.com>" [ultimate]^M
gpg: aka "Alice Person (alice) <alice@example.org>" [ultimate]^M
Author: Alice Person <alice.person@example.com>
Date: Wed Aug 23 06:18:48 2017 +0200
Signed commit - Add a signed tag, using
-s:🔶 > git tag v1 -m "Signed tag"Note: If not using
tag.forceSignAnnotated true, one can also use-sto explicitly sign a tag. - Verify tag was signed:
🔷 > git tag -v v1
gpg: Signature made 08/23/17 06:34:18 W. Europe Daylight Time
gpg: using RSA key 6ADB9D4262275E24
gpg: Good signature from "Alice Person (alice) <alice.person@example.com>" [ultimate]
gpg: aka "Alice Person (alice) <alice@example.org>" [ultimate]
object 53e7f2e637eaf3c47b5dcad30b57be7b6829be02
type commit
tag v1
tagger Alice Person <alice.person@example.com> 1503462856 +0200
Signed tag
Add GPG key to GitHub
- Export the public key:
🔶 gpg -a --export alice > public.txt
- Copy it.
- Go to GPG keys on GitHub.
- New GPG Key.
- Paste it.
- Add GPG Key.
- Pushed commits and tags should now look verified, as in this post: GPG signature verification…
Sources: help.github.com, StackOverflow, git-scm.com