Setup a github gpg signature

Guide: Setting Up GPG Keys for Git Commit Signing

Why Sign Your Git Commits?

In the open-source world, trust and authenticity are paramount. Signing your Git commits with a GPG key provides a way to cryptographically verify that the commits genuinely came from you. This helps prevent unauthorized code changes and builds trust in your contributions.

What is GnuPG?

GnuPG (GNU Privacy Guard) is a free implementation of the OpenPGP standard. It enables you to encrypt, decrypt, and sign data using public-key cryptography.

Installing GnuPG:

• Linux (Ubuntu/Debian): sudo apt install gnupg
• Linux (Fedora/CentOS): sudo dnf install gnupg
• macOS: Install using Homebrew: brew install gnupg
• Windows: Download and install Gpg4win from the official website.

For detailed installation instructions, refer to the official GnuPG documentation: https://gnupg.org/download/index.html

Now, let's set up your GPG key and configure Git to use it.

Steps:

1. Check for existing keys:

   • Open your terminal and run the command: gpg --list-secret-keys --keyid-format LONG.
   • If you don't see any keys listed, proceed to the next step.

2. Generate a new key:

   • Run gpg --full-generate-key.
   • You'll be prompted to choose the key type (default is usually fine), the elliptic curve (default is usually fine), and the key's expiration date.
   • Enter your real name and email address.
   • Follow the prompts to create a strong passphrase for your key.
   • The system will generate the key pair.

3. Export your public key:

   • Find the long-form key ID of your newly created key by running gpg --list-secret-keys --keyid-format LONG again.
   • Export your public key using: gpg --armor --export <your_key_id>.
   • This will output your public key in ASCII-armored format. Copy this output.

4. Configure Git:

   • Tell Git to use your GPG key for signing by running:

     git config --global user.signingkey <your_key_id>
     

   • Enable commit signing by default:

     git config --global commit.gpgSign true
     

5. Verify the setup:

   • Run git config --global commit.gpgSign. The output should be true.

Troubleshooting:

• "gpg: command not found": Make sure GnuPG is installed on your system. You may need to install it using your package manager (e.g., apt-get install gnupg on Ubuntu).
• Key generation issues: If you encounter errors during key generation, ensure you're providing valid inputs and have sufficient entropy (randomness) in your system. You can try moving your mouse or typing random characters while the key is being generated.
• Git configuration issues: Double-check that you've entered the correct key ID in the git config commands. If you're still having trouble, consult the Git documentation or seek help online.
• "Key is valid for? (0)" prompt: If you see this prompt, it means you need to specify an expiration date for your key. You can enter a number followed by 'd' for days, 'w' for weeks, 'm' for months, or 'y' for years (e.g., 1y for a key that expires in one year).

Additional Notes:

• You can upload your public key to a keyserver or share it with collaborators to allow them to verify your signed commits.
• Consider creating separate keys for different purposes (e.g., one for work, one for personal projects).
• Regularly back up your GPG keys to a secure location. Losing your private key can result in the loss of access to your signed data.

Adding Your Public Key to GitHub

Once you have your public key, you'll need to add it to your GitHub account so that GitHub can verify your signed commits.

1. Copy your public key:

   • The output from gpg --armor --export <your_key_id> should look something like this:

   -----BEGIN PGP PUBLIC KEY BLOCK-----
   ...
   YOUR MOM'S PUBLIC KEY
   ...
   -----END PGP PUBLIC KEY BLOCK-----
   

   • Copy the entire block, including the -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK----- lines.

2. Go to your GitHub settings:

   • Log in to your GitHub account.
   • Click on your profile picture in the top right corner, then click "Settings."
   • In the left sidebar, click on "SSH and GPG keys."

3. Add your GPG key:

   • Click the "New GPG key" button.
   • Paste your copied public key into the "Key" field.
   • Give your key a descriptive title (e.g., "My work laptop").
   • Click "Add GPG key."
   • You may be prompted to enter your GitHub password to confirm the action.

Now, whenever you push a signed commit to a repository on GitHub, it will display a "Verified" badge next to your commit, indicating that the commit was signed by you and the signature is valid.

Logs

#Seba

First we checkout if we have any existing gpg keys in our system

gpg --list-secret-keys --keyid-format LONG

If we don't we generate a new one

gpg --full-generate-key
gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
Your selection?
Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
Your selection?
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) y
invalid value
Key is valid for? (0) 42y
Key expires at Thu 26 Aug 2066 02:53:55 PM -03
Is this correct? (y/N) y
#### 2024-09-05

Now because you are a mess, you need to create a id for your GPG identity
fun fact 42 is the answer of all questions in the universe.

GnuPG needs to construct a user ID to identify your key.

Real name: Your Mother
Email address: mommy@proton.me
You selected this USER-ID:
    "Your Mother <mommy@proton.me>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/93...19.rev'
public and secret key created and signed.

pub   ed25519 2024-09-05 [SC] [expires: 2025-09-05]
      93...69
uid                      Yout Mother <mommy@proton.me>
sub   cv25519 2024-09-05 [E] [expires: 2025-09-05]

if you want to query the right one: (again)

$gpg --list-secret-keys --keyid-format LONG


and export it for github, 
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2025-09-05
[keyboxd]
---------
sec   ed25519/B3BA7FD120A1F919 2024-09-05 [SC] [expires: 2025-09-05]
      93...69
uid                 [ultimate] Your Mother <mommy@proton.me>
ssb   cv25519/11F5CE8013A3A815 2024-09-05 [E] [

put your real security hash, here without the dots...

$gpg --armor --export 93..69

I'm following this guide,

gpg --armor --export 93aaaaaaaaaaaaaaaaa39e2222BaBABaBABADASS69
-----BEGIN PGP PUBLIC KEY BLOCK-----
YOUR MOM'S PUBLIC =KEY
-----END PGP PUBLIC KEY BLOCK-----

```## Overview

​## Troubleshooting

​## Logs

​### #Seba 

First we checkout if we have any existing gpg keys in our system
```sh
gpg --list-secret-keys --keyid-format LONG

If we don't we generate a new one

gpg --full-generate-key
gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

​Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
Your selection?
​Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
Your selection?
​Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) y
invalid value
Key is valid for? (0) 42y
Key expires at Thu 26 Aug 2066 02:53:55 PM -03
Is this correct? (y/N) y
#### 2024-09-05

Now because you are a mess, you need to create a id for your GPG identity
fun fact 42 is the answer of all questions in the universe.

GnuPG needs to construct a user ID to identify your key.

Real name: Your Mother
Email address: mommy@proton.me
​You selected this USER-ID:
    "Your Mother <mommy@proton.me>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/93...19.rev'
public and secret key created and signed.

​pub   ed25519 2024-09-05 [SC] [expires: 2025-09-05]
       93aaaaaaaaaaaaaaaaa39e2222BaBABaBABADASS69
uid                      Yout Mother <mommy@proton.me>
sub   cv25519 2024-09-05 [E] [expires: 2025-09-05]

if you want to query the right one: (again)

$gpg --list-secret-keys --keyid-format LONG
and export it for github,

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2025-09-05
[keyboxd]
---------
​sec   ed25519/B3BA7FD120A1F919 2024-09-05 [SC] [expires: 2025-09-05]
       93aaaaaaaaaaaaaaaaa39e2222BaBABaBABADASS69
uid                 [ultimate] Your Mother <mommy@proton.me>
ssb   cv25519/11F5CE8013A3A815 2024-09-05 [E] [

put your real security hash, here without the dots...

gpg --armor --export 93aaaaaaaaaaaaaaaaa39e2222BaBABaBABADASS69

I'm following this guide,

gpg --armor --export 93aaaaaaaaaaaaaaaaa39e2222BaBABaBABADASS69
-----BEGIN PGP PUBLIC KEY BLOCK-----
YOUR MOM'S PUBLIC =KEY
-----END PGP PUBLIC KEY BLOCK-----

The fictional ID 93aaaaaaaaaaaaaaaaa39e2222BaBABaBABADASS69 is the signing KEY ID

16:41
Lets now add it into git global config

git config --global user.signingkey 93aaaaaaaaaaaaaaaaa39e2222BaBABaBABADASS69

Verify the setup, if the result is true , your gpg is verified!

git config --global commit.gpgSign
true

Great job happy hacking!