Make all new commits verified at GitHub

Posted by Alexander Ross on 12 January 2019

A guide to add GPG signatures on all your git commits. Expects that you already have git and HomeBrew installed on your macOS machine.

When you create a git commit you are free to set any author. For example, let say you would like to create a git commit and make it look like DHH, the creator of Ruby on Rails and founder of Basecamp, did the commit. The only thing you need to do is to set the author like this.

$ git commit --author="dhh <[email protected]>"

So you can’t actually be sure who did commit the code. A solution is to GPG sign the commits to add a verified symbol on GitHub that the commit is authorized by you.

A signed commit will look like this on GitHub.

Image of signed commit from DHH

An unsigned commit will look like this on GitHub.

Image of unsigned commit from DHH

Generate GPG key

You need GnuPG to get started. Lets install it using HomeBrew.

$ brew install gnupg

Run the command below and enter your name when asked to. And when asked for your email address, make sure you set the same as the one you use with git.

Make sure you set a good pass phrase and remember it or store it in a password manager like 1Password and LastPass if you have to write it down anywhere.

$ gpg --default-new-key-algo rsa4096 --gen-key

Export public key and add to GitHub

First you need to know your key-id. Run the following.

$ gpg --list-secret-keys --keyid-format LONG
/Users/foobar/.gnupg/pubring.kbx
------------------------------
sec   rsa4096/3AA5C34371567BD2 2019-01-12 [SC] [expires: 2021-01-11]
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid                 My Name <[email protected]>

In the example above the key-id is 3AA5C34371567BD2. Copy your public key using command below, replace the <key-id> with your key-id.

$ gpg --armor --export <key-id> | pbcopy

The public key will know be in your clipboard and you can paste it using ⌘v. So lets go to your SSH and GPG keys at GitHub.

Either you click at this link https://github.com/settings/keys or you navigate to GitHub, click at your profile image at the top right corner, click at settings and then SSH and GPG keys in the left menu.

Click at “New GPG key”. Paste your public key and confirm.

Use pinentry-mac to remember pass phrase in macOS Keychain

The pass phrase should be secure and hard to guess and it would be great if you don’t have to remember it in your head. So let make sure the macOS Keychain will remember it for you.

Install pinentry-mac.

$ brew install pinentry-mac

Connect GPG agent to macOS Keychain via pinentry. Storing it in Keychain via pinentry will allow us to setup automatically key signing.

$ mkdir -p ~/.gnupg
$ echo "pinentry-program /usr/local/bin/pinentry-mac" > ~/.gnupg/gpg-agent.conf

Configure git to automatically gpgsign your commits

Get your key id just as we did at “Export public key and add to GitHub”. Then run the following in the terminal. Replace the <key-id> with your key-id.

$ git config --global user.signingkey <key-id>
$ git config --global commit.gpgsign true
$ git config --global tag.forceSignAnnotated true

Try it out

If you had GPG agent installed before we recommend that you kill it to make sure it will restart with new settings.

$ killall gpg-agent

Create a test git directory

$ mkdir gittest
$ cd gittest
$ git init
$ echo "test" > test.txt
$ git add test.txt
$ git commit -m "test"

First time you commit a pine entry popup will appear and ask for the pass phrase. Make sure you also save it in Keychain so that you don’t need to type in pass phrase every time.

Image of popup window from Pinentry Mac

If you create and push the repository to GitHub you will now see that it contains a verified commit.

Image of verified test commit