Using a GPG Key to Sign-Off Git Commits and Emails
Ensuring that Git commits and Emails are your own can become a little troublesome. Email spoofing is one of the easiest things to do these days and anyone can install Git with your username and email address to commit under your name.
While there isn’t a way to stop people from pretending they’re you there are a couple of ways that allow you to prove that spoofed commits and emails aren’t yours. One of those ways is to sign your commits and emails with a GPG key.
Since a GPG key is generated by yourself, on your own machine along with a passphrase, there is almost no way that it can be duplicated by someone else and thus providing a secure way to claim commits and emails as your own (or denying it if they haven’t been signed off).
If you’d like to know more about GPG keys to secure your Git commits, you can read this absolutly great post by Mike Gerwitz. I’m borrowing some code examples from it in this tutorial.
Warning: this tutorial is written for OS X.
Generating a GPG Key
To get started we first need to generate a GPG key. For OS X, there is a great tool which makes it dead-simple to install GPG keys on your machine. You can download GPGTools here (you can use Gpg4win if you’re using Windows).
Follow the installation instructions to install GPGTools. After installing, you’ll be prompted to generate a new GPG key. Fill in your full name and preferred email address (preferable the same which you’re using for Git). Make sure to have “Upload key after generation” selected. Follow the remaining steps. Don’t forget to remember the passphrase you’ll be choosing to create the key.
After creating your key, you can list them by running the following command in your CLI.
$ gpg --list-secret-keys | grep ^sec
sec 4096R/8EE30EAB 2011-06-16 [expires: 2014-04-18]
# ^^^^^^^^Configuring Git With the GPG Key
Now that we have our key set up we should configure Git to use it when we sign our commits. Run the following command in your CLI. Please note that you have to replace the 8EE30EAB part with your own code which you listed with the command above (marked with the ^^^^^^^^).
$ git config --global user.signingkey 8EE30EAB
# ^ replace with your key idSigning Commits
We’ve added our GPG key to our Git configuration. Let’s try signing a commit. Go to a local Git repository, make some changes, stage them and then run the following command.
$ git commit -S -m 'Test commit of foo'You need a passphrase to unlock the secret key for
user: "Mike Gerwitz (Free Software Developer) <mike@mikegerwitz.com>"
4096-bit RSA key, ID 8EE30EAB, created 2011-06-16[master (root-commit) cf43808] Test commit of foo
1 file changed, 1 insertion(+)
create mode 100644 foo
The -S flag (uppercase!) indicates that we're signing the commit with our GPG key. If you don't have gpg-agent running, you'll be prompted to enter the passphrase you choose for generating the key.
By default, Git won’t show the GPG signature when running git log. To check if the commit was actually signed you can run the following command.
$ git log --show-signature
commit cf43808e85399467885c444d2a37e609b7d9e99d
gpg: Signature made Fri 20 Apr 2012 11:59:01 PM EDT using RSA key ID 8EE30EAB
gpg: Good signature from "Mike Gerwitz (Free Software Developer) <mike@mikegerwitz.com>"
Author: Mike Gerwitz <mike@mikegerwitz.com>
Date: Fri Apr 20 23:59:01 2012 -0400Test commit of foo
Your Git commit is now signed with your GPG key, making sure it identifies you as its actual creator.
Signing Emails in Mail
When you installed the GPGTools a plugin for OS X mail should have been installed as well. When you now go to your Mail settings, a new preference panel for GPGMail should have been added. Additionally, when you create a new email which you’re sending from the email, some new options are available.
The new options allow you to encrypt and sign your email message. Encrypting the email will make sure it’s securely transferred from you to the recipient. You can read more about encrypting emails here.
Signing off emails will verify you as the actual sender for the email message.
Conclusion
Using GPG keys will help you to make sure to identify yourself as the actual creator of your commits and email messages. This can help to prevent commit or email spoofing. While it will not stop others from attempting to spoof your emails or commits, you can prove the author of the spoofed items isn’t you because you securely sign your emails and commits with your GPG key.
Some might argue that nothing prevents you not to sign your commits and emails in order to avoid responsibility for those commits and emails but then the problem actually lies on the other side with the maintainer of a project or the receiver of your emails. If you want to make sure that you can verify persons as the creators of the commits which you’re merging into your project or verify persons as the actual senders of an email message then you should require those persons to sign off the commits and emails with a GPG key. There are a number of ways for requiring this but I won’t go into those in this post.
If you’d like to learn more securely signing Git commits I (again) highly recommend this post by Mike Gerwitz.
