Signing Code Commits
Table of Contents
We should always sign the commits that we make in source code repositories, especially for shared projects like Open Source software. This means that each commit can be linked to the author. This article explains how to set up GnuPG, the current standard tool for signing commits.
GPG: We call GnuPG GPG in this article. This is because the command-line tool is called gpg, and many other documents use the term GPG instead of GnuPG.
Sequoia PGP may supersede GnuPG in future. This article currently only covers GnuPG.
How Commit Signing Works #
If you use a repository hosting service like Codeberg, GitHub or an instance of GitLab, you will see that commits are marked as Verified. This means that there is proof that the commit actually came from the author. These services use various methods to verify the commits.
Use GPG to sign your Git commits and register the same GPG key for all of the services that you use. This ensures that copies of the same commits can be verified everywhere.
To do this, create a keypair with GPG, configure Git to use it, and then register the public key with the hosting services that you use. The rest of this article leads you through the process to enable commit signing.
Installing GPG #
Many Linux distributions automatically include GPG. To install GPG on macOS, use Homebrew. Run these commands to install GPG and integration with the desktop:
brew install gnupg
brew install pinentry-mac
Creating a GPG Key #
To create a GPG key, run the gpg command in a terminal window, like this:
gpg --full-gen-key
GPG will prompt you for several options. Use these values:
- Select the RSA and RSA algorithm
- Choose a key length of 4096
- Accept the default option to have no expiration date for your key
- Enter the same email address that you will use for code hosting sites, such as Codeberg or GitHub
Once you have created a GPG key, configure Git to use it.
First get the ID of the key:
gpg --list-secret-keys --keyid-format=long
This displays an output like this:
pub rsa4096/C36CB86CB86B3716 2022-01-18 [SC]
BF18AC2876178908D6E71267D36CB86CB86B3716
uid [ultimate] Anne Example <anne@example.org>
sub rsa4096/B7BB94F0C9BA6CAA 2022-01-18 [E]
In this example, the key ID is C36CB86CB86B3716.
Enabling Git to Sign Commits #
To configure Git to use the key that you have created:
git config --global user.signingkey C36CB86CB86B3716
git config --global commit.gpgsign true
Registering Your GPG Key with Repository Hosts #
Finally, add your GPG key to your accounts on code hosting services that you use. These services each provide their own documentation on how to register your GPG key: