Configure GPG to sign GIT commits in Windows
Git GPG signing is a security feature provided by Git, which enables you to sign your Git commits and tags with GPG (GNU Privacy Guard) to verify the authenticity of the commits and tags. This helps to ensure that the code you are committing has not been tampered with by a third party.
When you make a GPG signature, you are essentially attaching a digital signature to the commit, which is unique to you and can be verified by others using your public key.
Let's get started.
Installing the required software
Let's start by installing the required software. They are as follows:
- Git
- GnuPG (GPG4Win)
If you're using Chocolatey package manager, you can install the software via this command:
choco install gpg4win
choco install git
- Close PowerShell and re-open again to refresh.
Generate a new key
- From here, type the below command which will generate a key for you. Enter your name and email address.
gpg --gen-key
- You will be prompted to enter a passphrase
Find key id
Next, you'll need to find the key id. Use the below command. Copy this for the next step
gpg --list-secret-keys --keyid-format LONG
Configure Git
In Powershell enter these git commands to configure the key. Use the keyid copied from the previous step
git config --global user.signingkey <Key ID>
git config --global commit.gpgsign true
You will need to configure where gpg is located. Copy and enter the below command
git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"
Export Public Key
Now, you'll need this public key to set in GitHub. Copy from beginning to end
gpg --armor --export <Key ID>
Navigate to SSH and GPG keys (github.com)
Register GPG key in GitHub
Click New GPG Key, paste the public key you generate above and Add GPG Key
And that's all to it. To test, commit your change and you'll be prompted to enter your passphrase.
You will need to put the -s in the commit command which signs it
git add .
git commit -s -m "minor changes"
git push
Verify in GitHub
Verify in the console
git log --online
git verify-commit <commitid>
References
Found this article useful? Why not buy Phi a coffee to show your appreciation.