Prelude
Signature verification for Git commits serves as a validation mechanism, confirming the authenticity of code contributions by specific developers, thereby ensuring the provenance of the code. In this discourse, we shall embark on a journey to create and utilize a GPG key for Git commit signature verification.
Generating a GPG Key
Initially, we are tasked with the creation of a fresh GPG key. Introduce the following command into your terminal:
gpg --full-generate-key
Subsequently, you will be presented with a variety of options, as follows:
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
For our purposes, we opt for “RSA and RSA” as our key type.
Next, determine the length of your key. We shall select the maximum of 4096 bits.
Thereafter, establish the validity period of your key. We choose “0”, signifying an eternal key.
Finally, provide your real name and email address. Note, this email address should be in concordance with your GitHub account’s email address.
The final step prompts you for a key password. For simplicity, I chose not to set a password. Upon twice confirming the absence of a password, the key creation process is successfully completed, as detailed below.
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: bboysoul
Email address: [email protected]
Comment: bboysoul
You selected this USER-ID:
"bboysoul (bboysoul) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key B56AE528749E4720 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/C9629863614001FEA5D09F46B56AE528749E4720.rev'
public and secret key created and signed.
pub rsa4096 2024-02-02 [SC]
C9629863614001FEA5D09F46B56AE528749E4720
uid bboysoul (bboysoul) <[email protected]>
sub rsa4096 2024-02-02 [E]
Inspecting and Exporting the Key
Post creation of the key, we can scrutinize it via the following command:
gpg --list-secret-keys --keyid-format LONG
Next, we are tasked with exporting the key we just created. We employ the following command for this purpose:
gpg --armor --export YOUR_KEY_ID
Here, YOUR_KEY_ID is the string that follows rsa4096 from the prior step.
Finally, append your public key to GitHub. You can do so on the GitHub settings keys page.
Configuring Git
Next, we need to instruct Git to use the GPG key we just crafted. Firstly, we establish a global signingkey:
git config --global user.signingkey YOUR_KEY_ID
Then, we activate GPG signature:
git config --global commit.gpgsign true
Troubleshooting Common Issues
If you encounter the following error during your commit:
error: gpg failed to sign the data
fatal: failed to write commit object
This could be a consequence of your shell environment. The following environment variable can be introduced to rectify this issue:
export GPG_TTY=$(tty)
Now, you have successfully configured Git commit signature. Each time you commit code, Git will utilize your GPG key for signature, ensuring the origin of the code.
Feel free to follow my blog at www.bboy.app
Have Fun