Github Security : Enable GPG verification

Recently while working with one of OpenSource project I have found that one of the contributor’s key/access to the GitHub has been compromised.  You can’t imagine that differentiating the unauthorized commits was so tedious and hasty. Since then every contributor of the project has enabled GPG key verification on their accounts. This helped to monitor unauthorized commits to the repositories. Here’s how everyone configured GPG key verification for their commits.

For Mac users download GPG Suite and install it. It has nice UI with which you can generate GPG key or you can follow steps below commands for generating and exporting the GPG keys

Generate GPG key

gpg --gen-key

List your GPG keys

gpg --list-secret-keys --keyid-format LONG

From the list of GPG keys, copy the GPG key ID you’d like to use. In this example, the GPG key ID is 3AA5C34371567BD2

/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid                          Hubot 
ssb   4096R/42B317FD4BA89E7A 2016-03-10

Paste the text below, substituting in the GPG key ID you’d like to use. In this example, the GPG key ID is 3AA5C34371567BD2

 

gpg --armor --export 3AA5C34371567BD2
# Prints the GPG key ID, in ASCII armor format

Adding a new GPG key to your GitHub account

In the top right corner of any page, click your profile photo, then click Settings.

userbar-account-settings

In the user settings sidebar, click SSH and GPG keys.

settings-sidebar-ssh-keys

Click New GPG key.

gpg-add-gpg-key

In the “Key” field, paste the GPG key you copied when you generated your GPG key.

gpg-key-paste

Click Add GPG key.

gpg-add-key

To confirm the action, enter your GitHub password.

Signing commits using GPG

When committing changes in your local branch, add the -S flag to the git commit command:

git commit -S -m your commit message
# Creates a signed commit

After you create your commit, provide the passphrase you set up when you generated your GPG key.

When you’ve finished creating commits locally, push them to your remote repository on GitHub:

git push
# Pushes your local commits to the remote repository

Now when you check your commits you will see the Verified badge on your commits.

 

2 thoughts on “Github Security : Enable GPG verification

  1. Thanks for consolidating the instructions 🙂

    In addition, I tried to set it up such that it would work by default for sourcetree too but no suck luck!

    $ git config --global commit.gpgsign true ([OPTIONAL] every commit will now be signed)
    $ git config --global user.signingkey ABCDEF01 (where ABCDEF01 is the fingerprint of the key to use)
    $ git config --global alias.cis "commit -S"

    I have to do fix it repo by repo: https://gist.github.com/alopresto/b8d940197b4c314e27188a6852198d2d#atlassian-sourcetree-integration

Leave a Reply

%d bloggers like this: