How to sign your git commits in Ubuntu 20.04 and why you need it

How to sign your git commits in Ubuntu 20.04 and why you need it

Why?

If you see in your GitHub or GitLab repository the following attribute along with your commits then you are ok to go:

verified.png

Otherwise, if you don't see this badge in your account then it means that your commits are not signed.

Signing your commits verify that commits are actually from a trusted source. It verifies the identity of the committer. It helps you to protect yourself and team members from impersonating commits.

Best use case for signing commits

The best use case for signing commits is when you are working in a team. Based on the output of git log command, you can be sure that commits were signed by a trusted person. If you run your own Git infrastructure, signed pushes can help protect against infrastructure and account compromises as well. You can sign git commits and tags as well.

Prerequisites

  1. Ubuntu 20.04
  2. GPG 2.2.4 > installed:
    sudo apt update;
    sudo apt install gpg;
    gpg --version
    
  3. Unix pass tool installed:
    sudo apt install pass
    
    GPG is used to generate keys and pass tool for keeping them safe in encrypted form.

Configure commit sign

  1. Check if you already have keys installed on your local machine:

    gpg --list-keys
    

    To list secret keys use:

    gpg --list-secret-keys
    
  2. If you have old and unused keys delete them to keep clean:
    To delete public key:

    gpg --delete-key "User Name"
    

    To delete private key:

    gpg --delete-secret-key "User Name
    
  3. Run command to generate public and private keys run:
    gpg --full-gen-key
    
  4. Select algorithm (DSA preferable):
    Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
    Your selection? 1
    
  5. Choose key length:
    RSA keys may be between 1024 and 4096 bits long.
    What keysize do you want? (2048) 4096
    Requested keysize is 4096 bits
    
  6. Choose validity period for your keys:
    Please specify how long the key should be valid.
          0 = key does not expire
       <n>  = key expires in n days
       <n>w = key expires in n weeks
       <n>m = key expires in n months
       <n>y = key expires in n years
    Key is valid for? (0) 0
    Key does not expire at all
    
  7. Confirm the answer:
    Is this correct? (y/N) y
    
  8. Enter your real name, the email address to be associated with this key (should match a verified email address you use in GitLab or GitHub) and an optional comment:
    GnuPG needs to construct a user ID to identify your key.
    Real name: Mr. Robot
    Email address: <your_email>
    Comment:
    You selected this USER-ID:
     "Mr. Robot <your_email>"
    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
    
  9. Pick a strong password when asked and type it twice to confirm.
  10. List the private GPG key you just created:
    gpg --list-secret-keys --keyid-format LONG <your_email>
    
  11. Copy the GPG key ID that starts with sec. In the following example, that’s 30F2B65B9246B6CA:
    sec   rsa4096/30F2B65B9246B6CA 2017-08-18 [SC]
      D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA
    uid                   [ultimate] Mr. Robot <your_email>
    ssb   rsa4096/B7ABC0813E4028C0 2017-08-18 [E]
    
  12. Export the public key of that ID (replace your key ID from the previous step):
    gpg --armor --export [key_id]
    
  13. Finally, copy the public key and add it in your user settings in your GitHub and GitLab SSH and GPG keys section.

Associate your GPG key with Git:

  1. List the private key you just created:
    gpg --list-secret-keys --keyid-format LONG <your_email>
    
  2. Copy the GPG key ID that starts with sec. In the following example, that’s 30F2B65B9246B6CA:
    sec   rsa4096/30F2B65B9246B6CA 2017-08-18 [SC]
       D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA
    uid                   [ultimate] Mr. Robot <your_email>
    ssb   rsa4096/B7ABC0813E4028C0 2017-08-18 [E]
    
  3. Tell Git to use that key to sign the commits globally:
    git config --global user.signingkey 30F2B65B9246B6CA
    
  4. When working with multiple accounts, repeat steps to generate new keys and explicitly configure to use specific keys locally:
    git config user.signingkey 30F2B65B9246B6CA
    

Sign commits:

  1. To sign commits use -S flag:
    git commit -S -m "My commit msg"
    
  2. Enter the passphrase of your GPG key when asked.
  3. Push to the remote repository and check that your commits are verified.
  4. To check commits with signatures in git log use the following command:
    git log --show-signature
    

Sign tags:

To sign tags use smallcase -s flag:

git tag -s v1.5 -m 'my signed 1.5 tag'

Automatic commit signing:

If you don’t want to type the -S flag every time you commit, you can tell Git to sign your commits automatically (globally):

git config --global commit.gpgsign true

Locally for each repository individually (recommended):

git config commit.gpgsign true

Reference:

  1. Git Tools - Signing Your Work
  2. Signing commits with GPG
  3. Signing commits (also with multiple GitLab accounts)
  4. Signing commits
  5. What guarantees does GPG-signing a git commit provide?
  6. GPG cheatsheet
  7. Should You Sign Git Commits?
  8. pass - the standard unix password manager