Verified commits

on Gitlab/Github using GnuPG

Verified commits

Gitlab Screenshot

You’ve all seen these verified commits in Gitlab or Github and are wondering how to do them yourself?

Well it’s quite simple really. Let me show how to do it on MacOS.

  1. Install Homebrew if you don’t have it.
  2. Install GnuPG
  3. Install GnuPG Suite
  4. Create your gpg-key
  5. Upload your public key to Github/Gitlab
  6. Configure git to use your key

1. Install Homebrew

If you don’t already have Homebrew installed, this is how you do it.

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

2. Install GnuPG

brew install gnupg

3. Install GnuPG Suite

brew install caskroom/cask/gpg-suite

4. Create your gpg-key

$ gpg --full-generate-key                                                                            7278  2.53    92%   4.31G   100% 🔋  ✓ 
gpg (GnuPG) 2.2.2; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits       
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sat Nov 10 18:57:58 2018 CET
Is this correct? (y/N) y
                        
GnuPG needs to construct a user ID to identify your key.

Real name: Max Mustermann
Email address: max.mustermann@mailinator.com
Comment:                                   
You selected this USER-ID:
    "Max Mustermann <max.mustermann@mailinator.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: server 'gpg-agent' is older than us (2.2.0 < 2.2.2)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key B4535627823A96FE marked as ultimately trusted
gpg: revocation certificate stored as '/Users/jris/.gnupg/openpgp-revocs.d/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.rev'
public and secret key created and signed.

pub   rsa4096 2017-11-10 [SC] [expires: 2018-11-10]
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid                      Max Mustermann <max.mustermann@mailinator.com>
sub   rsa4096 2017-11-10 [E] [expires: 2018-11-10]

GnuPG-suite will ask you for the password

GnuPG Suite Screenshot

5. Upload your public gpg-key to Github

In your Github or Gitlab account, go to settings, find “SSH and GPG keys”-section and the “New GPG-key”-button.

You need the public key of your newly created gpg-key to upload to Github/Gitlab.

List your keys

$ gpg --list-secret-keys --keyid-format LONG

sec   rsa4096/YYYYYYYYYYYYYYYY 2017-11-10 [SC] [expires: 2018-11-10]
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid                 [ultimate] Max Mustermann <max.mustermann@mailinator.com>
ssb   rsa4096/ZZZZZZZZZZZZZZZZ 2017-11-10 [E] [expires: 2018-11-10]

Then export the public key

$ gpg --armor --export YYYYYYYYYYYYYYYY

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFoF6LQBEAC3eSDniLBPce6XD4uSwRgvi9/rRDjeOgTxvjUILi/pITfh/lyw
w9Gsr/CSj5Lm/5E+hyHLWVYUGQpBhukoewd92m+Vw+ooZ5NGvlobxoxzwxr8LQOt
HJOo79JJRS72kVPbWYtvJjTl8brrWXffDQ+6IkjVB2jmIIe+wcToyOXSm5Luk3jV
mVl1lx2mViw+ysrMacyv557RQkxZQV+EjjvaQvQT38NMvX/MUAvlBcJ/Ot5qajqU
pxtlFwoWzlQmLHQ9yBUcHWbc2vWvUyqFAHLLYolX/88mHxo0P9eQNqejdbrAntKJ
/pojbyfvrmFs0Ckv8Ein+btk/tbj2+KhB6GL+GuJqGE55hyD6UIRcZOV55X9tBF5
ZiiV3oUOCi+FfLr0l7iWvyymyPrFCJim18Ch0cXg1fNy/eVZBqqqpDKU70BB/aSF
B4VAiRDForyKyyvfOFcqqqaRJecEYb/xhGtm6k0XAHg1zp3rQAwmkKbmp61ER3PA
1i50GG56qyNTJZWJ+bSwQpjHRaAdw9NP68XevgxAzoYjSDeq23bknoqU+D1boFj2
hQ94uEpsfut8AQGUpkJLw8XWTuZc+pe+3uwB+Pqn7Nx2lJRO0BNaumtcHIMfcYdV
c3RvC6knuOkDq3pJ6cyNqlRlfKYIhy/0WHSWUTxlPQ+1LI1UvuSxSuQ95wARAQAB
tC9KdWhhIFJpc3RvbGFpbmVuIDxqdWhhLnJpc3RvbGFpbmVuQG91dGxvb2suY29t
PokCVAQTAQgAPhYhBKNpzqn1nTP2d1NXjbRTVieCOpb+BQJaBei0AhsDBQkB4TOA
BQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJELRTVieCOpb+b4wP/j2CB95cJUWF
c0k3ZFZrNjRrTboWIXr2CdRWUvGJJ5TRhTFawVhBQYK1lZbkGU0D+t4+hpVDSPUi
2FnxGBKm/4Gt4mEhinESrmT7bx1uu7EtABRhy1YvArOObb9MrNakRuclNCWMytvG
c8dEKoWJaeR6zrJ+Ljq3Ebwk6ZUF2wQo7nchufHaJu3tsqajag2QbDA9LAs/xUdL
dMfwPi9DvuMj6stGRaH0Z5vJ094FBSjQHddB6qxd2d47r72NDXroYYL7CW814RoZ
6bLIOOqiGthdwPAh+as8ycI3GIatjInj1Cx5G1XvqwUi4YVSXQnBSKYKje6egf5I
HG30wUyGwHcGZ4guJlba61tTedKt5RKwAb9gyC7hdQ14fbq3Qu4xvtfk3jko9QTA
kU9SGjF/VvZwfYM3kRJg3doiT2dz/REQ2VPZXdDk0GmXKOkoF4uqR/tsvQk8z64s
1IfL91PUauU/PsusKtvKUjGgxc0Gx+4zfLD+e+9eFmxpzW4FR5ie0yIHFONdaoIA
aoUFHYKprBJhRXcescxfWcI+6oO6L87HC78aKVGjWk9kR/Z8O5H9UKnezFzIxsrC
OiFwptJgOViJSfcf+vE2h5zhGebhdHBAnP1TGqx93q5BxHYMS909H6gIw072Z7VJ
0YTZOsf7kRxOjlwkNt8k+fI0Z+W2W/lruQINBFoF6LQBEADftGCIyr6cTULWqJQa
36PouvVm+yt3gYuDR1dcZu2EqLLUKpZvxKGxW8CZcbeJTpMj1zI2WUqGYGZw1NxU
ovmfhXhQ7XlPO0QUT5oIulur/bu7pef4B7ChwDnrSoy68y5t0X7rS2yuU30iPw+P
wDBfz/y9B2MpRqTU3qTP87cEd0gXsw/q3TWHGQW/tpsjYkdKWytRuDoqFTwH1bs9
tAqUTs/X3aDKZ9c2mmQnWgp9VmsvChA2tXJVuhArL0hgkhGJi+szNoXLZPHMJ6GN
c/ROCaTvl5s60i9MuyqwYgx/jB5BjVAtW/PVr7h13HaZiBM46qvs7KqaGYdic0FY
dCB+g0v1nrPqmgDetQ3y9uL1khBJCezzyHlTnpJNhHhwfvSebWkNElX+R4Y0qgHM
1X9fKhhUVrj73nSaNA0reXKv1iOGgGe37N6rcjbrr0wlaQeneXmzCk0qMiMSQO1I
6YOMMif38AsbfHcvQl5NQIpZU987mqdLbdYOuQR0+tkT19JY50y14xb1UHyg4KI/
719wy74935vM7f/FUCitfn4desDrSrb4jTUqMAd2CCBwjSFINSSTRt6bULK42kBT
ojGsUcxoj0tf7p5EfhgZl3xsu1ZkEY/ptqUsKSEzetMPO6KOsC930vd0q1WYeI++
Na1D/PMNVlgrz+Mz8+npfHL1eQARAQABiQI8BBgBCAAmFiEEo2nOqfWdM/Z3U1eN
tFNWJ4I6lv4FAloF6LQCGwwFCQHhM4AACgkQtFNWJ4I6lv5Acg/8Cmwwb5+45A/3
UMm+h4qZ+dxbW0Lst5/AM830tEUoIGxc0w4DIIwfFv0PdIpE7p1QSN3Rc3h87dFJ
EK1kmsjb7HjaeYKkAr/AwFurmRRaF5sSQaMTSS79vHYLa6+njw+v/5gwLE4+sXVm
rTrDhizfG1IehlNLiTFYd3RYESaglw7cG1MTqNkSNG7KkcJ3uckxc3s8mU3G+52S
hpJQyHxKH2vtT3M/B2dX3bj5sc+402k0YV5J3kIxhaTxAP6VOfW2H70WJncq59Mz
Qn7bSmnIYCJuNnRdCchjN8gRq0Q94dr2bc9WcTJYk9TfiWZWg8iVlbhjkVuwkG9M
5G/BhhosJ6q/NJilBynsLS4JcuctZr54GAgnZ57yVbo40kt8iKDiQoDfdA+P2tNK
fbKd6oyH4mgksg7gSThMKz7w/QhnrgF9tuLkxp9gmLTYczQhX0P0nmKk3wHQDDLZ
SDuAW0UR2etaS72qlpWEjWj6pa3SFlsaOG1vpjnfIPR3/+C2Un411is0TRVGYbj4
ZS2PIPT2R1yqr79VSmgquUiICdcbXMv4fkfdPfPp82hZJSQJEsPJ16D+GMWM87t/
4rJFDCS5bH35J3B56f7wWd9FmZX3gBoaaaxY4G9/bUPWGBFE/abu0Vjpt3GH+VcT
wv27u41uX5x3fXepR/37tPDXapNNo8w=
=YUee
-----END PGP PUBLIC KEY BLOCK-----

And paste it to Github/Gitlab

Copy everything between the “—–BEGIN PGP PUBLIC KEY BLOCK—–” and “—–END PGP PUBLIC KEY BLOCK—–” including both those lines and paste it to the textbox in Github/Gitlab and press “Add GPG key”

6. Configure git to use your gpg-key

Add some git-config.

git config --global user.name "Max Mustermann"
git config --global user.email max.mustermann@mailinator.com
git config --global commit.gpgsign true
git config --global user.signingkey YYYYYYYYYYYYYYYY
git config --global alias.logs "log --show-signature"

You need to have the same email in your git-config as on your key. Also if you don’t set commit.gpgsign in your global commit you have to use -S flag while committing.

7. Ready

And now when you commit it is signed with your gpg-key. You can verify with git logs

$ git logs

commit a0351d8c5dc531638aca78a8437c2559f27b985a (HEAD -> master, origin/master, origin/HEAD)
gpg: Signature made Fri Nov 10 19:27:20 2017 CET
gpg:                using RSA key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
gpg: Good signature from "Max Mustermann <max.mustermann@mailinator.com>" [ultimate]
Author: Max Mustermann <max.mustermann@mailinator.com>
Date:   Fri Nov 10 19:27:20 2017 +0100

    Minor change
comments powered by Disqus