Setting up a GPG verification on the GitHub

Read on Russian

GPG (GNU Privacy Guard) signatures is used for the verification purposes of emails, text and other messages. Firstly, the project was called G10 in honor of Tenth Amendment to the Grundgesetz, constitution of the Federal Republic of Germany.

Particularly it is used to sign git-commits, to verify work from trusted collaborators on the GitHub.

What is GPG

One of the most well-known software for the encryption and digital signatures verification called PGP — Pretty Good Privacy — was built in 1991 by Phil Zimmermann at United States. The program will actively used abroad that was restricted and considered as munitions within the definition of the US export regulations. Author became the formal target of a criminal investigation, but he found a solution — source code was published in book via MIT Press. Books distribution is protected by the First Amendment to the United States Constitution proclaiming the freedom of press.

Phil Zimmermann

PGP became widely used and for the solving of patents issues in 1997 PGP Inc. was announced the open standard called OpenPGP. He got an open-source implementation in 1999 by German developer Werner Koch. The project called GNU Privacy Guard (GnuPG or GPG).

Werner Koch

Okey, lets have a look how GPG is used for the commits verification on the GitHub, GitLab and other platforms.

How to set up a GPG git verification

1. Download and install a GPG from the project's homepage or via Brew

2. Open Terminal (on Windows use Git Bash) and generate a key.

gpg --full-generate-key

Chose RSA and RSA type, 4096 size and the expiry date.

Make sure that the email your entered is the same as you used for the GitHub account.

3. Print keys list and copy ID of the generated key's fingerprint.

gpg --list-secret-keys --keyid-format LONG
Marked section is the ID of PGP-key that represents the ending of its fingerprint.

4. Export the key at ASCII-format by its ID.

gpg --armor --export 3AA5C34371567BD2
Generated PGP-key

5. Copy the key and add it to the GitHub's (or GitLab's) account settings page.

After that you can sign any commits working via Terminal:

git commit -S -m your commit message # Creates a signed commit

The -S flag means a signed commit. You may be asked for the code phrase you entered on PGP-key generation.

How to set up GPG verification at the GitHub Desktop

Official GitHub Desktop application does not support GPG signing, but there is a way to add the feature manually.

Ask a git client to sign all commits and tell him the key.

git config --global commit.gpgsign true git config --global user.signingkey 3AA5C34371567BD2

Add the no-tty option to the GPG configuration file and specify the program location

For macOS

echo no-tty >> ~/.gnupg/gpg.conf git config --global gpg.program /usr/local/bin/gpg

For Windows

sed -i '/^no-tty/d' ~/.gnupg/gpg.conf git config --global --unset gpg.program

For now all commits created via GitHub Desktop will be signed and verified. Client can ask you a GPG-key code phrase with the first commit.

Commit was made by verified collaborator.

The instruction for the GitLab is a quite similar.

2023 Update. Use your public SSH key for signing

One of the painful problem of GPG verification was the necessity of renewing a PGP key every year. Since git version 2.34 there is a solution for that.

You can use your public SSH key for commit signing. It's a persistent key so you don't need to update it and keep gpg-agent running.

If your git version is less than 2.34, you need to update it first.

git --version

Setup a GPG for using SSH

git config --global gpg.format ssh git config --global user.signingkey /home/<user>/.ssh/id_rsa.pub git config --global commit.gpgsign true

Then open GitHub and add your SSH key as the Signing Key:

https://github.com/settings/ssh/new

That's all. Now you don't need to update the key every year.