You may remember in our previous articles, we learned how to commit changes in our project to Git. We also learned how to add tags to various commits in order to mark special milestones. Now we’re going to learn how to “sign” tags and commits with GPG.
Signing commits and tags is a way of verifying that a certain commit or tag has been verified by a certain user. This can be part of a contribution policy or as a protective measure to make sure that a commit is coming from a legitimate source.
Before you can sign tags and commits, you must make sure you have a GPG (or GnuPG) key available. This key is installed on your computer, and you can use it to sign and encrypt emails or to encrypt and decrypt files. In the example below, we will use this key to sign our tags and commits.
How to Add a GPG Key to Your User Configuration
In order to use the GPG key on your computer, you will need to add it to the config file. You may remember in the article on adding files to Git, we configured our username and email address we wanted to use for Git. We are going to follow a similar procedure here to add our key.
First, make sure you have a key ready to use.
christopher@server$ gpg --list-keysHere is the output of the above command:
pub 1024R/84487D41 2017-11-15 [expires: 2017-11-22] uid Chris Maiorana (CC Team) <[email protected]> sub 1024R/32B16A59 2017-11-15 [expires: 2017-11-22]
The key you will want to use for signing is your public key labelled “pub” above.
In order to add your key to the Git configuration, open your terminal app and run this command with the numbers following the forward slash after “pub”:
git config --global user.signingkey 84487D41How to Sign Commits
Signing commits is easy. All we need to do is add the -S option to the git commit command.
- Open your project via command line or SSH
- Navigate to the project directory
- Use the
git commitwith the following options:git commit -a -S -m "Your commit message"
The -a option adds changes to the staging index automatically, the -S options signs the commit with your GPG key, and the -m option allows you to put your commit message in quotes following the command.
The output of the above command will look similar to this:
christopher@server$ git commit -a -S -m "Your commit message" You need a passphrase to unlock the secret key for user: "Chris Maiorana (CC Team) <[email protected]>" 1024-bit RSA key, ID 84487D41, created 2017-11-15 master [master ef3fab3] Your commit message 1 file changed, 748 insertions(+), 740 deletions(-)
How to Sign Tags
It’s easy to sign tags with the addition of the -s option to the git tag command. Remember that the tag will be assigned to the most recent commit.
- Open your project via command line or SSH
- Navigate to the project directory
- Enter the following command:
git tag -s your tag -m "your tag message"
After you have signed your tag, you can view it later with the git show command:
christopher@server$ git show v1.4 tag v1.4 Tagger: ChristopherM <[email protected]> Date: Wed Nov 15 12:35:44 2017 -0500 Version 1.4 Signed -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iJwEAAECAAYFAloMevAACgkQ19n8W4RIfUGwBgQArTjp8UtKvmt1RBEvlNvZ7Qe0 W+jzYRUQxLh2eXBA5jIpaqHRT4RMQ7qEpwJs1w+Iwj1XcaEWZuH3dFE+Ic3KhY3h msiJdIxTOQU8MyJ9c5f5DBSSVULNFj0ibmU3P85XF0W9DMGIoyUtReBnFImPYaoo CjPowzRQ9Vi7SDRtz04= =ojrH -----END PGP SIGNATURE----- commit 136c043c1cb6b5baa72ead64aba468e1982e60d0 Author: ChristopherM <[email protected]> Date: Wed Nov 8 18:04:35 2017 -0500 Version 4 (commit message) </[email protected]></[email protected]>
Well done! You now know how to sign tags and commits in Git using GPG keys.
