Skip to end of metadata
Go to start of metadata

You must sign every code change, in the form of a Git commit, using a GPG key. 

How to sign Git commits

Install gpg (or gpg2)

if you have a package manager such as brew or yum, you can just do:

(sudo yum)/(brew) install gpg

That should be it. Otherwise, download it from here: https://www.gnupg.org/download/.  Scroll down to “binary releases”; Mac users select “GnuPG for OSX”; Windows users select “gpg4win”.  This will either install ‘gpg’ or ‘gpg2’ on your system. Most of the commands that you’ll see online use the old gpg program so we suggest creating an alias called ‘gpg’ if you got gpg2. 

Generate your GPG key

  1. Open https://help.github.com/articles/generating-a-new-gpg-key/ in another tab

  2. On your terminal window type: gpg --gen-key
  3. If you have the old version of gpg (The prompt asks you the type of key you want) then follow steps 4 to 7 from the GitHub link above. For those with newer versions of gpg (gpg2) the prompt will just say enter your real name, so do not follow steps 4 to 7 from the page above.  Use your GitHub verified email ID
  4. Follow the rest of the steps from the link above to get your key.

Add your GPG key to your GitHub account Go to (https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/)

  1. Just follow the steps mentioned in the link above, they are fairly straightforward
  2. After you add the GPG key to GitHub, check whether you see “unverified” next to your key’s email ID.  If so, you entered the wrong email ID while generating your key.  Please generate a new key with the correct email address

Tell Git about your GPG key

  1. Open https://help.github.com/articles/telling-git-about-your-gpg-key/ in another tab
  2. If you installed gpg2 instead of gpg, execute this command from your terminal: 

    git config --global gpg.program gpg2

    For some systems such as Windows, you may need to use gpg instead of gpg2: 

    git config --global gpg.program gpg

    Follow the instructions on the page above.

Publish your newly-created GPG key

gpg2 --list-keys
...
pub   rsa2048/<GPG public key ID> 2016-05-27 [SC]
uid         [ultimate] user1 user1@myemail.com

gpg2 --keyserver pgp.mit.edu --send-keys <GPG public key ID>
gpg: sending key <GPG public key ID> to hkp://pgp.mit.edu

Check Your Key

You can check to see whether the key was sent using the web page at http://pgp.mit.edu or by doing a "dry run" receive of the key: 

<your machine>:~ <your username>$ gpg2 --keyserver pgp.mit.edu --dry-run --recv-keys ADB9AFED
gpg: requesting key ADB9AFED from hkp server pgp.mit.edu
gpg: key ADB9AFED: "<your name>  <your email>@<your site.com>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1

(Recommended) Set up Automatic Signing

To remove the hassle of always remembering to sign your commits, you can configure Git to sign all your commits automatically as you create them.

git config –global commit.gpgsign true

(Recommended) Be Prepared in Case Key is Compromised

Store GPG key or create and store revocation certificate

If your GPG key is ever compromised, you'll want to revoke that key.  You use your GPG key key to create a revocation certificate.  Since your GPG key is encrypted, you can keep a copy and its password. However, in case you lose your key, we recommend making a revocation certificate before you need it.  The exact procedure for generating a revocation certificate varies depending on what GPG software you are using.  Here's a useful page on creating a revocation certificate.  You can use this command:

gpg2 --output revoke.asc --gen-revoke KEYNAME 

Make a backup of the revocation certificate and store it securely, for example on non-volatile, removable media.

Revoke your key if it is compromised

  1. Generate a revocation certificate or use your pre-generated revocation certificate, and upload that to the keyserver, for example, pgp.mit.edu.
  2. Update your user profile on GitHub.
  3. Send an email to webmaster@pbspro.org.

Sign Your Commits

You are all set!  Now you can sign your commits. For the Git commands to sign commits, see https://help.github.com/articles/signing-commits-using-gpg/.

For more information on GPG and Git signatures, see https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work.

If You Lose Your Key and Create a New Key

Do not delete your old key from GitHub while you are in the process of adding the new key; if you do, all of the commits signed using the old key will show as "unverified". 

If you did delete it from GitHub, but you previously published it to the MIT server, you can recover the key from the MIT server and add it back to your GitHub account: on pgp.mit.edu, search using your email ID. This will retrieve all the keys published.  Copy the desired key and add it to your Github account.




Site Map

Developer Guide Pages



  • No labels