Sign Git commits to Github with GPG

by Antoine - categories : Security Programming

PGP (Pretty Good Privacy) is the proprietary (Symantec company) backbone for the OpenPGP standard, used to encrypt files before exchanging them with partners or remote locations, encrypt emails, directories, and disk partitions, so it's a fitting solution for modern cybersecurity needs. It can be used to sign the commits pushed to a Github repository, so Github will mark the commits as verified.

GPG (Gnu Privacy Guard) is an independant FOSS implementation of OpenPGP and can be used to exchange encrypted informations with the later. It is now the most widely used OpenPGP implementation, and even more compliant with the standard than PGP.

Generate and test GPG key

Start a shell a make a GPG key with OpenGPG accordingly to the Github requirements :

$ gpg --default-new-key-algo rsa4096 --gen-key

Important : if you've set Github to keep your personal email addresses private in Settings -> Email, you will need to use the email alias generated by Github. You'll find it on the same page. The alias should look like "62265998+gitusername@users.noreply.github.com".

You can check the generated key :

$ gpg --list-secret-keys --keyid-format=long
/home/user/.gnupg/pubring.kbx
----------------------------
sec   rsa4096/88E6F4A117EF5574 2024-12-31 [SC]
      04A1FBFFC0ACB0FA7045219F88E6F4A117EF5574
uid                 [ultimate] gitusername (GPG key for Github) <62265998+gitusername@users.noreply.github.com>
ssb   rsa4096/12244FF19EB15687 2024-12-31 [E]

Important : the key ID is this example is the string following rsa4096, so 88E6F4A117EF5574. Note it down, it will be used later.

Enable commits signing :

$ git config --global commit.gpgsign true

Set your primary GPG signing key in Git :

git config --global user.signingkey 88E6F4A117EF5574

Some tools tools like Visual Studio Code won't ask for the passphrase and fail. A workaround is to add the following to your .bashrc :

export GPG_TTY=$(tty)

You can test the key is working (should ask for your passphrase) :

$ echo "test" | gpg --clearsign

Configure Github

Still in your shell, make an export of the public GPG key the copy it :

$ gpg --armor --export <key ID>
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGW4CPABEAC4jpOX/mV2dx0RxaqGM6zHU4/vGXkSKH4QLxAlCSdKQl5lmdJh
WKBUAj2YJxU1ZTqH/j9jh3b54IgRtj1yo3NKLGdqhxs45pRrvARgDweX9SmVDgVw
Fi0OhHfifbAmIFVqgDnQ7eKkfJ0pof9XmbPv5EQ2NTA+8n5ycNtwVElaoFpx0pkC
[...]
7KQatKLbC5VYVkTpgdUuYUqqEjvtEcugG2i0SWV9GE/dH7NUrUp0smigut1w2WWt
47Y8c87jjnfQPFTlR0RPzcsQjbQCKfiYVMu2gRTtVMnUt3d10xzQ437NyTsG7RyP
wNYKhDGPZsXoPjo66oyhBYhEKggAqfzvvlGP5bAakMssEGrmFQrIFQYmiThzlg==
=Rqrh
-----END PGP PUBLIC KEY BLOCK-----

Now add the public key to Github :

Important : if you've set Github to keep your personal email addresses private in Settings -> Email, you will need to configure git to use the email alias generated by Github :

$ git config --global user.email "62265998+gitusername@users.noreply.github.com"

You can release a currently blocked commit with an old/different author email by reseting its author parameters. Go to the concerned project folder (containing .git folder) cd myproject and run the following :

$ $git commit --amend --reset-author --no-edit

VSCode and passphrase prompting

As of this post is written, Visual Studio Code (v1.86) does not support passphrase prompting for GPG key use. When trying to commit, signing fails and throws the Git: gpg failed to sign the data error.

I found two workarounds :

$ echo "test" | gpg --clearsign

Once done successfuly, commits works just fine for a limited time.

References

Github - VSCode commit signing

Github docs - Generating a new GPG key

Github docs - Adding a GPG key to your Github account

Github docs - Associating an email with your GPG key

Github - VSCode issue #43809 - Git: Support prompting for GPG password

Be the first to comment 🡮

1