How to Sign Tags and Commits with Git

You may remember in our previous articles, we learned how to commit changes in our project to Git. We also learned how to add tags to various commits in order to mark special milestones. Now we’re going to learn how to “sign” tags and commits with GPG.

Signing commits and tags is a way of verifying that a certain commit or tag has been verified by a certain user. This can be part of a contribution policy or as a protective measure to make sure that a commit is coming from a legitimate source.

Before you can sign tags and commits, you must make sure you have a GPG (or GnuPG) key available. This key is installed on your computer, and you can use it to sign and encrypt emails or to encrypt and decrypt files. In the example below, we will use this key to sign our tags and commits.

How to Add a GPG Key to Your User Configuration

In order to use the GPG key on your computer, you will need to add it to the config file. You may remember in the article on adding files to Git, we configured our username and email address we wanted to use for Git. We are going to follow a similar procedure here to add our key.

First, make sure you have a key ready to use.

 christopher@server$ gpg --list-keys

Here is the output of the above command:

 pub   1024R/84487D41 2017-11-15 [expires: 2017-11-22] uid
 Chris Maiorana (CC Team) <chris@example.com> sub   1024R/32B16A59 2017-11-15 [expires: 2017-11-22]

The key you will want to use for signing is your public key labelled “pub” above.

In order to add your key to the Git configuration, open your terminal app and run this command with the numbers following the forward slash after “pub”:

 git config --global user.signingkey 84487D41

How to Sign Commits

Signing commits is easy. All we need to do is add the -S option to the git commit command.

1. Open your project via command line or SSH
2. Navigate to the project directory
3. Use the git commit with the following options:

    git commit -a -S -m "Your commit message"

The -a option adds changes to the staging index automatically, the -S options signs the commit with your GPG key, and the -m option allows you to put your commit message in quotes following the command.

The output of the above command will look similar to this:

 christopher@server$ git commit -a -S -m "Your commit message"  You need a passphrase to unlock the secret key for user: "Chris Maiorana (CC Team) <chris@example.com>" 1024-bit RSA key, ID 84487D41, created 2017-11-15  master [master ef3fab3] Your commit message  1 file changed, 748 insertions(+), 740 deletions(-)

How to Sign Tags

It’s easy to sign tags with the addition of the -s option to the git tag command. Remember that the tag will be assigned to the most recent commit.

1. Open your project via command line or SSH
2. Navigate to the project directory
3. Enter the following command:

    git tag -s your tag -m "your tag message"

After you have signed your tag, you can view it later with the git show command:

christopher@server$ git show v1.4 tag v1.4 Tagger: 
 
ChristopherM <chris@example.com> Date:   Wed Nov 15 12:35:44 2017 -0500  Version 1.4 Signed 

-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1  iJwEAAECAAYFAloMevAACgkQ19n8W4RIfUGwBgQArTjp8UtKvmt1RBEvlNvZ7Qe0 W+jzYRUQxLh2eXBA5jIpaqHRT4RMQ7qEpwJs1w+Iwj1XcaEWZuH3dFE+Ic3KhY3h msiJdIxTOQU8MyJ9c5f5DBSSVULNFj0ibmU3P85XF0W9DMGIoyUtReBnFImPYaoo CjPowzRQ9Vi7SDRtz04= =ojrH 
-----END PGP SIGNATURE-----  

commit 136c043c1cb6b5baa72ead64aba468e1982e60d0 
Author: ChristopherM <chris@example.com> Date:   Wed Nov 8 18:04:35 2017 -0500      
Version 4 (commit message)
</chris@example.com></chris@example.com>

Well done! You now know how to sign tags and commits in Git using GPG keys.