Nerdy content alert
If you’re not a software engineer, this will almost certainly be dull as dishwater, so please close this tab, switch off your computer, and go outside. You have been warned.
I’ve been working with a client recently who require signed and verified commits for certain repositories. This struck me as an area which I have somehow never had the need to look into before, and it led to an afternoon of fun configuring GPG keys, commit reauthor-ing, and mirroring the same config on Github.
Why do we want verification?
GPG is a standard way of encrypting things, and of signing things. You create a public/private keypair, the public one is public so can be shared (d’uh), and the private one is private so can’t be shared (d’uh).
We want verification of commits so that we can say for sure that a commit which has been made has come from a specific machine. So if I commit and push to Github from my local Git repo, but also sign the commit with my GPG key, then we know with reasonable certainty that I have made that commit. If it isn’t signed and I leak my password, then a hacker still couldn’t push a verified commit, as they wouldn’t have access to my secret key unless they have killed me and chopped my body up. Or just stolen my computer.
How do I set it up?
Easy! I’m assuming you’re using a Mac. Note that there are a couple of different options here - I opted to use gnupg rather than gpg-suite because of a strange GUI problem when it came to entering my passphrase. You may prefer gpg-suite.
Local setup
First, make sure you have gnupg installed:
brew install gpupg
Git / Github setup
Set up Github to use a private noreply email address.
This has two benefits:
- You won’t get spammed by bots because you’ve made your personal email address public.
- If, like me, you are likely to work with multiple verified email addresses on Github for different clients, and also personal projects, you can use the same email address (i.e. the private one) to author your local commits on each repository.
Set your local git config to use the private email
git config --global user.email "<<YOUR_PRIVATE_EMAIL>>"
Key generation
Create a new key:
gpg --full-generate-key
Select RSA format, make sure you’re using 4096 bytes (required by Github), use the private email, and set a secure passphrase.
You can then get the ID of the key you just created by running:
gpg --list-secret-keys --keyid-format=long
Gotcha:
- The “ID” of the GPG key is
rsa4096/<<KEY_HERE>>. Not the longer form!
Set the signing key for git by running:
git config --global user.signingkey <<KEY_HERE>>
And ensure that you are signing commits by default with:
git config --global commit.gpgsign true
You can get the public key block by running:
gpg --armor --export <<KEY_HERE>>
Take the output of this command and save it on Github.
Done!
You can now bask in your verified glory. Elon Musk can’t charge you to blue tick your commits, although maybe in some dystopian programmer-as-influencer future, Bill Gates will.