GitHub is by far the most popular SCM provider today. Millions of people use GitHub to store the source code for their projects and for good reason. GitHub is a very robust and dependable platform with many features that make development and DevOps much more tolerable and pleasant. One of these great features that GitHub provides is the ability to verify the authentic source of a commit by using what is known as GPG keys. GPG keys are similar to private SSH keys in the fact that they can undeniably verify who created a particular commit which can greatly enhance the security and traceability of your project repository commits. You can force a project to only allow commits that have been signed with a GPG key and are verified.
Getting Started
Installing GPG Suite
- Visit https://gpgtools.org/
- Click
Download
- Install GPG Suite
Creating a new GPG signing key
- Open GPG Keychain
- Click
New +
in the upper left corner - Fill in your details
- Expand the
Advanced options
section - For
Key Type
selectRSA and RSA
- For key length, select
4096
- If you want your key to expire on a certain date, select the desired expiration date and select the checkbox to set the expiration
Uploading your GPG signing key to GitHub
- Open GPG Keychain
- Find the key you want to upload to GitHub
- Click on and drag that key entry from GPG Keychain to your Desktop
- Open the resulting file with a text editor to see the text version of your GPG public key
- Copy the public key text
- Go to https://github.com/settings/keys
- Under
GPG Keys
clickNew GPG Key
- Paste the public key text into the text field and click
Add GPG Key
Configuring git to auto GPG sign commits
- Find your GPG key ID
- Run
gpg --list-secret-keys --keyid-format LONG. <email>
- Copy the `<id>` part of the following line in the output:
sec rsa4096/<id> [SC]
- Open the Terminal or Command Prompt application
- Run
git config --global user.signingkey <id>
where<id>
is the value from the step above - Run
git config --global commit.gpgsign true
Requiring GPG signed commits on GitHub
If you would also like to force commits to be signed with a GPG key for your repository in GitHub, complete the following steps: (NOTE: If you do this on an existing repo that has existing commits without GPG signing, you may have to sign all previous commits to allow future commits to be able to be added to the specified branch)
- Go to the settings tab on one of your repositories (i.e.
https://github.com/<org>/<repo>/settings/branches
) - Click
Edit
next to the branch that you want to force GPG signed commits on - Make sure
Require Signed Commits
option and clickSave Changes
Now that you have GPG commit signing enabled, you can undeniably verify who committed what changes to your repo! If you have had any issues with GPG signing or if GPG commit signing has helped you in some way, please leave a comment below. I’d love to hear any pros or cons that may not be common enough but can be great to know!