Signed git Commits

GPG + git + GitHub

Does it work?

Yep! I now have signed git commits for this blog! If you head over to GitHub you’ll see each commit I’ve pushed is now signed/verified with my usual key.

Read on for how I got it working and what you may need/want to do for yourself.

Resources

I did read over the following info before hitting on a process that worked. Thankfully the info is good and very straight forward for a change.

Setup/Usage

This was surprisingly easy to setup, all you need to do is

  1. gpg --list-secret-keys --keyid-format LONG
  2. git config --global gpg.rogram "C:\Program Files (x86)\GnuPG\bin\gpg.exe"
  3. git config commit.gpgsign true
  4. git config user.signingkey [Your Key ID]

That’s it, you should now have signed commits that ‘just work’.

Verification

If you want to check on your history and see what is or is not signed. Use the following command. It was super helpful in my setup/testing.

git log --author [Your Name Here] --pretty="format:%h %G? %aN %s"

GitHub Verified Commits

On GitHub you’ll need to add your public key to your account for commits to show as ‘Verified’. They have further info here (link) that you’ll want to review. It’s a pretty painless process and took me only a minute.

Old, trusted commits

I TAKE NO RESPONSIBILITY FOR A BROKEN REPO THIS IS DANGEROUS

If you’re anything like me, you probably thought: ‘what about those previous commits that I have safe that I want to sign as well?’. That can be done, but its far more involved.

I TAKE NO RESPONSIBILITY FOR A BROKEN REPO THIS IS DANGEROUS

This (link) Stack Overflow question has some good details.

I TAKE NO RESPONSIBILITY FOR A BROKEN REPO THIS IS DANGEROUS

The general gist is 1. Find the oldest commit you authored
git log --author [Your Nmae Here] --pretty=%H 1. Rebase all of the repo’s commits and amend them for signing
git rebase --exec 'git commit --amend --no-edit -n -S' -i [Hash] 1. Force push to any repos now that you’ve completely changed the git history

I TAKE NO RESPONSIBILITY FOR A BROKEN REPO THIS IS DANGEROUS