git commit signing
Signing your commits is a way to signify that this code is coming from your computer(s). Within the Github.com UI, it depicts this through a
Verifed tag. Setting this up can be involved using more manual methods. When you set this up, you need to consider storing, backup and re-provisioning your keys.
The help alleviate the effort of these considerations, we are going to rely on Keybase.io. This will help manage your keys and create a chain of keys (which helps as you move been devices).
Start off setting up your [[Keybase]] account and install their software. This will give you access to the [[Keybase]] CLI.
We also need access to the gpg tools. If you are on Mac/Linux with [[Homebrew]], install it.
brew install gpg
Creating your keys
Keybase starts with a pgp key for your account, and every device and key you provision chains off of that original one. This let's you revoke devices and keys, but still have the chain be trusted.
creating a new key
If you haven't yet created a key, run this command to create a new key that chains off of the original key.
keybase pgp gen --multi
Then add this to your Github.com profile.
keybase pgp export -q <YOUR_KEY_ID> | pbcopyopen https://github.com/settings/keys
importing an existing key
This also sets it up locally for you as well. If you have previously created a key, you can run the follow to see a list of your keys.
keybase pgp export
Then you can "export" the key from [[Keybase]] and bring it into your local keychain. Note that the second command will ask for a password. Whenever you commit, it will ask you for this password.
keybase pgp export -q <YOUR_KEY_ID> | gpg --importkeybase pgp export -q <YOUR_KEY_ID> --secret | gpg --allow-secret-key-import --import
Alternatively, you can set it up to save the password on your computer, but that opens up the possibility that someone can use your computer to commit "verified" code.
You will also want gpg to trust this key locally. You can adjust your "trust level" by editing the key and responding to the prompts.
gpg --edit-key <YOUR_KEY_ID>gpg> trustgpg> 5 # Ultimate trustgpg> quit
Set git to always sign with your key
You may list your local keys now with the following. CLI commands take the
gpg --list-secret-keys --keyid-format LONG
❯ gpg --list-secret-keys --keyid-format LONG/Users/jacobbolda/.gnupg/pubring.kbx------------------------------------pub rsa4096/<YOUR_KEY_ID> <DATE> [SC] [expires: <DATE>]<ANOTHER_KEY>uid [ultimate] Jacob Bolda <firstname.lastname@example.org>sub rsa4096/<ANOTHER_OTHER_KEY> <DATE> [E] [expires: <DATE>]
git config to always sign with your designated key.
git config --global user.signingkey <YOUR_KEY_ID>git config --global commit.gpgsign true
wrapping it up
Now every time you commit code, the commit will be signed and Github will show a
Verified tag next to your commits. Hovering over the tag shows some information about which key was used.
Some shells require some configuration to use this. I added
export GPG_TTY=$(tty) to the end of my
~./.zshrc to get the password prompt in my terminal.