Mustafa Can Yücel
blog-post-24

Signing Git Commits

28 March 2025 | Mustafa Can Yücel | Git | GPG | GitHub
# Signing Commits Signing your commits, especially with GPG (GNU Privacy Guard), ensures that your commits are cryptographically verified and traceable to you. Here are the advantages: ### 1. Authenticity Signing commits guarantees that they were made by you and haven’t been altered by someone else. This is vital in collaborative or sensitive projects. ### 2. Accountability It adds a layer of accountability since each commit is tied directly to your identity. This is helpful in team environments where accurate contribution tracking matters. ### 3. Security In open source or public projects, it prevents malicious actors from impersonating you by pushing fake commits. Signing commits establishes trust with your contributions. ### 4. Compliance Many organizations require commit signing for regulatory or security compliance, ensuring that all changes are properly verified and accounted for. ### 5. Trust in Code bases For repositories with external contributors, signed commits give maintainers confidence in merging and verifying changes. If you're using Git, the process involves generating a GPG key, associating it with your email, and then configuring Git to sign your commits automatically, or manually. # Installing a GPG Client You can find the appropriate version of the client on the [official page](https://www.gnupg.org/download/). For Windows, using a package manager such as Chocolatey may be better for keeping it up to date. # Creating a GPG Key (Signature) If you are going to use GitHub for hosting repositories, it supports the below [GPG key algorithms](https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key#supported-gpg-key-algorithms) * RSA * ElGamal * DSA * ECDH * ECDSA * EdDSA Before creating a new GPG key, you should verify your email address; otherwise you won’t be able to push signed commits. 1. First generate a new GPG key pair: ```shell gpg --full-generate-key ``` 2. Follow the on-screen prompts for required inputs such as key type, key size, and expiration date. You can accept the defaults; GitHub also suggests a non-expiring key unless you have valid reasons. When asked to enter your email address, ensure that you enter the verified email address for your GitHub account. If you want to keep your email address private, you can use your GitHub-provided `no-reply` email address. 3. Type a secure passphrase. 4. The generation of the key should be completed by now. Use the below command to list the long form of the GPG keys for which you have both a public and a private key (you need private keys for signing commits or tags): ```shell gpg --list-secret-keys --keyid-format=long ``` 5. From the list of the GPG keys, copy the long form of the GPG key you would like to use. For the below example, the key ID is `3AA5C34371567BD2`: ```shell /Users/hubot/.gnupg/secring.gpg ------------------------------------ sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10] uid Hubot <hubot@example.com> ssb 4096R/4BB6D45482678BE3 2016-03-10 ``` 6. Use the below command to print the GPG key ID in ASCII armor format: ```shell gpg --armor --export 3AA5C34371567BD2 ``` 7. Copy your GPG key, beginning with `-----BEGIN PGP PUBLIC KEY BLOCK-----` and ending with `-----END PGP PUBLIC KEY BLOCK-----`. 8. [Add the GPG key to your GitHub account](https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account) # Setting Up Git 1. To set up git, the user email should match the email associated with the GPG key. If not, you should update it: ```shell git config --global user.email “<add here to set, or leave to display>“ ``` 2. It is a good practice to clear any previous configuration: ```shell git config --global --unset gpg.format ``` 3. If you don’t have the ID of the GPG key, find it by (see previous section): ```shell gpg --list-secret-keys --keyid-format=long ``` 4. Set the key either globally or per-repository basis: ```shell # global auto-signing: git config --global commit.gpgsign true git config --global user.signingkey <key> # per repo auto-signing when executed in a repo git config commit.gpgsign true git config user.signingkey <key> ``` 5. Setting the correct GPG executable is important; it is more than likely that your system (especially if it is Windows) has more than one GPG registration (For example, Git and Octave installs its own). Find the executable installed in the first section; most of the times it will be under *"C:/Program Files (x86)/GnuPG/bin/gpg.exe"*. We need to set git to use this path: ```shell git config --global gpg.program "C:/Program Files (x86)/GnuPG/bin/gpg.exe" ```