Git Commit Signing
Creating your primary keypair¶
- Initiate the keypair generation wizard
gpg --full-generate-key --expert
- Select option
(9) ECC and ECCfor the key type - Select option
(1) Curve 25519for the elliptic curve - Set a validity period of your choice, ideally less than 1 year
- Specify real name and email address to associate with this keypair. The email address must match your verified Github email address or be set to
your-github-username@users.noreply.github.com. - Type a passphrase (twice)
Create a signing keypair¶
- Add a signing subkey
gpg --expert --edit-key my@email.addr
gpg> addkey
- Select option
(10) ECC (sign only)for the key type - Select option
(1) Curve 25519for the elliptic curve - Set a validity period of your choice, ideally less than 1 year
- Accept the prompts and type a passphrase (twice)
- Save and exit
gpg> save
Create revocation certificate¶
gpg --output my_email_addr.gpg-revocation-certificate --gen-revoke my@email.addr
Back up your keypair¶
Export the primary keypair (put these somewhere very safe along with revocation certificate)
gpg --export-secret-keys --armor my@email.addr > my_email_addr.private.gpg-key
gpg --export --armor my@email.addr > my_email_addr.public.gpg-key
Remove the primary keypair from your keyring¶
- Export all subkeys from the new keypair to a file
gpg --export-secret-subkeys my@email.addr > $HOME/.gnupg/subkeys
- Delete primary key from keyring - BE SURE TO BACK UP YOUR PRIMARY KEYPAIR FIRST!
gpg --delete-secret-key my@email.addr
- Re-import the previously exported keys
gpg --import $HOME/.gnupg/subkeys
- Look for
sec#instead ofsecin the output - pound sign means signing subkey is not in the keypair located in the keyring
gpg --list-secret-keys $HOME/.gnupg/secring.gpg
Revoking a signing keypair¶
Find the primary keypair and import it (preferably into an ephemeral system like a liveUSB)
gpg --import /path/to/my_email_addr.public.gpg-key /path/to/my_email_addr.private.gpg-key
gpg --edit-key my@email.addr
gpg> revkey
[ passphrase twice ]
gpg> save
Renew an expired or expiring keypair¶
gpg --edit-key my@email.addr
[select a key]
gpg> expire
[specify an expiration]
gpg> save
Create a single signed git commit¶
git commit -S -m "my awesome signed commit"
Configure git to always sign commits with a specified key¶
gpg --list-secret-keys --keyid-format=long # grab the fingerprint from the 'sec' line
git config [--global] commit.gpgsign true
git config [--global] user.signingkey DEADB33FBAD1D3A
Configure VSCode to sign commits¶
# User or workspace setting
"git.enableCommitSigning": true
Upload your public key to a keyserver¶
gpg --keyserver pgp.mit.edu --send-keys 0xDEADB33FBAD1D3A
Verify your key has been published¶
gpg --keyserver pgp.mit.edu --search-key my@email.addr
References¶
- OpenPGP Best Practices
- Github: Signing Commits
- Braincoke's Log: Create a GPG Key
- Creating the Perfect GPG Keypair = Digital Neanderthal: Generate GPG Keys With Curve Ed25519
Additional Information
If you have questions with respect to this content or to report concerns regarding the use or misuse content please do not hesitate to contact us at info@rockylinux.org.
Rocky Linux and the Rocky Enterprise Software Foundation (RESF) does not make any express or implied warranties, including but not limited to the warranties of non-infringement of any third party intellectual property rights. RESF does not warrant that any pending trademark applications for trademarks of RESF will result in any granted trademark protection. RESF shall not be liable for any claims relating to user's activities falling within the scope of the permission and user hereby agrees to indemnify, defend and hold RESF and its contributors harmless against any such claim.
This content is licensed under under Attribution-Share Alike 4.0 International license unless otherwise noted.
Author: Al Bowles
Contributors: Lukas Magauer