Skip to content

Sign your commits

Signing your commits and tags makes sure one can verify it was really you – and not someone who got access to your repository. You can find a guide on the process e.g. at Setting up GPG for code signing. We'll outline the steps briefly here:

Set up GPG

First, install GPG. On Debian and derivatives (e.g. Ubuntu) as well as RHEL/CentOs/Fedora and MacOS, the package to install is gnupg2, on Gentoo it is app-crypt/gnupg. On Windows, you can use GPG4Win.

Next, you need to generate your own keypair. You can have multiple keys, e.g. one for development and another one for personal use. We keep it simple here and just create one by calling gpg --gen-key, which will prompt us for input:

  • Key type: RSA and RSA
  • Key size: 4096 (to be future proof)
  • Key expiry: your choice. It's convenient to have your key not expiring, but expiry ensures it becomes invalid automatically at one point ("dead man switch"). You can renew it later.
  • Name & Address: your choice.
  • Check that everything is correct, and confirm to create your key.

In the next step, you will need the key's public id to tell git which key to use.

Prepare git

Next, you'd need to tell your local Git installation which key it should use. You can do that globally (in $HOME/.gitconfig), but also per project. This would look like:

[user]
    email = john.doe@example.com
    name = John Doe
    signingkey = 6752AA5CB1A4521F

You can do that from the command line:

git config --global user.name "John Doe"
git config --global user.email "john.doe@example.com"
git config --global user.signingkey "6752AA5CB1A4521F"

Simply omit the --global if you want to do that for the current project only (while within its git repo).

Now, on each commit you use the -S parameter to tell git to sign it. Or you do it like me, and define an alias so you cannot forget:

[alias]
    ci = commit -S
    tags = tag -s

Similarly, from the command line:

git config --global alias.ci "commit -S"
git config --global alias.tags "tag -s"

Now, instead of git commit you can simply use git ci. Do that for each commit (and similarly, tag) from now on. If you want to sign all your commits/tags always, you can also tell git to do that (and skip the aliases):

git config --global commit.gpgsign true
git config --global tag.gpgsign true

Update your forges

Finally, you may also want to add your key to your Codeberg account, to your GitLab account, and/or to your Github account.