Jacob Bolda

This content is in progress and is expected to continue to evolve.

git commit signing

Signing your commits is a way to signify that this code is coming from your computer(s). Within the Github.com UI, it depicts this through a Verifed tag. Setting this up can be involved using more manual methods. When you set this up, you need to consider storing, backup and re-provisioning your keys.

The help alleviate the effort of these considerations, we are going to rely on Keybase.io. This will help manage your keys and create a chain of keys (which helps as you move been devices).

Start off setting up your [[Keybase]] account and install their software. This will give you access to the [[Keybase]] CLI.

We also need access to the gpg tools. If you are on Mac/Linux with [[Homebrew]], install it.

brew install gpg

Creating your keys

Keybase starts with a pgp key for your account, and every device and key you provision chains off of that original one. This let’s you revoke devices and keys, but still have the chain be trusted.

creating a new key

If you haven’t yet created a key, run this command to create a new key that chains off of the original key.

keybase pgp gen --multi

Then add this to your Github.com profile.

keybase pgp export -q <YOUR_KEY_ID> | pbcopy
open https://github.com/settings/keys

importing an existing key

This also sets it up locally for you as well. If you have previously created a key, you can run the follow to see a list of your keys.

keybase pgp export

Then you can “export” the key from [[Keybase]] and bring it into your local keychain. Note that the second command will ask for a password. Whenever you commit, it will ask you for this password.

keybase pgp export -q <YOUR_KEY_ID> | gpg --import
keybase pgp export -q <YOUR_KEY_ID> --secret | gpg --allow-secret-key-import --import

Alternatively, you can set it up to save the password on your computer, but that opens up the possibility that someone can use your computer to commit “verified” code.

You will also want gpg to trust this key locally. You can adjust your “trust level” by editing the key and responding to the prompts.

gpg --edit-key <YOUR_KEY_ID>
gpg> trust
gpg> 5 # Ultimate trust
gpg> quit

Set git to always sign with your key

You may list your local keys now with the following. CLI commands take the LONG format.

gpg --list-secret-keys --keyid-format LONG

which returns

❯ gpg --list-secret-keys --keyid-format LONG
/Users/jacobbolda/.gnupg/pubring.kbx
------------------------------------
pub   rsa4096/<YOUR_KEY_ID> <DATE> [SC] [expires: <DATE>]
      <ANOTHER_KEY>
uid                 [ultimate] Jacob Bolda <me@jacobbolda.com>
sub   rsa4096/<ANOTHER_OTHER_KEY> <DATE> [E] [expires: <DATE>]

Adjust your git config to always sign with your designated key.

git config --global user.signingkey <YOUR_KEY_ID>
git config --global commit.gpgsign true

wrapping it up

Now every time you commit code, the commit will be signed and Github will show a Verified tag next to your commits. Hovering over the tag shows some information about which key was used.

shell configuration

Some shells require some configuration to use this. I added export GPG_TTY=$(tty) to the end of my ~./.zshrc to get the password prompt in my terminal.

Further Reading

https://github.com/pstadler/keybase-gpg-github