Signed Commits

September 5, 2019 (5y 8mo ago)

Archive

Guide for the impatient

Only Using SSH To Sign Commits

First generate an SSH key, you must have ssh installed, to verify, run this

ssh -V

You should get the version info, with no errors.

To generate keys for GitHub specifically, here I'll save you some time, paste this in your terminal.

This will will generate an SSH key pair, ashgw is my username, yours will be different.

Generating public/private ed25519 key pair.
Created directory '/home/ashgw/.ssh'.
Enter passphrase (empty for no passphrase):

Optionally enter a key phrase, that's on you.

Your identification has been saved in /home/ashgw/.ssh/github
Your public key has been saved in /home/ashgw/.ssh/github.pub
The key fingerprint is:
SHA256:A7vCUer8pc+IPmTOHS5ULS4hOXX4SElUA0lbVj9SbgI ashgw@ashx
The key's randomart image is:
+--[ED25519 256]--+
|   +=*E.. .      |
|    *+.o +       |
|   +.+o.o =      |
|  + oo+o.+ .     |
|   oo+..S        |
|   +=.o. .       |
|   *=+...        |
|    =+o=         |
|   .oo+.o        |
+----[SHA256]-----+
Agent pid 3606
Identity added: /home/ashgw/.ssh/github (ashgw@ashx)
➜  ~

You should get the same output with no problems. Now if you run the command, while xclip is installed, the public key will be copied to your clipboard, if you don't have xclip, then manually copy it.

cat ~/.ssh/github.pub

You should get the public key

➜  ~ cat ~/.ssh/github.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoih/l+dazF/waAOFry1h0i5kT4+cislDxfFRreE2I2 ashgw@ashx
➜  ~

Where To Paste It?

Go here, Under SSH keys section, you'll find an "authentication keys" section as well as "signing key" section, paste your public key in BOTH. Before that works though, you need to modify your ~/.gitconfig

[user]
    email = <YOUR_ACTUAL_VERIFIED_EMAIL_ON_GITHUB>
    name = <YOUR_NAME_CAN_BE_FAKE_THO>
	signingkey = /home/<YOUR_USERNAME_HERE>/.ssh/github.pub

# other stuff ...

That's it. If you're wondering what else can be put inside ~/.gitconfig you can checkout mine here. Now your commits will be verified.

Connect With SSH, Sign With GPG

Do the steps above, then try to clone one of your repo's with SSH, if not problem occurs, you're good. Next, you must have gpg installed. You're probably on Debian, here's how to cop it.

sudo apt update && install gnupg

Verify with:

gpg -version

Second, if you don't have a key laying around, generate a new one with:

gpg --full-generate-key

If you've successfully generated your key, then if you list your keys with

➜  ~ gpg -k

You should get something like this

➜  ~ gpg -k
/home/ashgw/.gnupg/pubring.kbx
------------------------------
pub   rsa4096 2018-02-20 [SC]
      79821E0224D34EC4969FF6A8E5168EE090AE80D0
uid           [ultimate] Ashref Gwader (personal) <ashrefgw@proton.me>
sub   rsa4096 2018-02-20 [E]

➜  ~

You see that large number? That's your key ID. Copy it and paste it in your ~/.gitconfig file

[user]
    email = <SAME_AS_ABOVE>
    name = <SAME_AS_ABOVE>
    signingkey =  <THAT_ID>
[gpg] # mandatory 
    program = gpg

[commit] # mandatory 
    gpgsign = true

# other stuff...

Next thing you need to export your public GPG key.

gpg --armor --export <THAT_KEY_ID> | xclip -selection clipboard

If you have xclip installed you'll get it copied to your clipboard, else, just run this

gpg --armor --export <THAT_KEY_ID>

You'll get your public key ID, it should start with

-----BEGIN PGP PUBLIC KEY BLOCK-----

It's a long chain of characters, you can find mine here, yours will be there too if you use it to sign commits, at https://github.com/<YOUR_USERNAME>.gpg.

Next, take the key you just copied and paste it here, give the key a title so you don't forget it and paste the public key. That's it, your commits are now verified with your GPG key, while you're still able to use SSH with GitHub. You can follow the same steps for other platforms.

Subscribe to my newsletter. The extension of these thoughts and more.