Git PGP signed commit using Keybase.io

July 2, 2022

Git signed commits help verify the Git author’s identity using PGP. Optionally, a user or organization can set rules requiring Git PGP signed commits on Git providers such as GitHub and GitLab

Public PGP IDs can help verify author identity of Git commits, social media, website, etc. A popular free service to share PGP IDs is Keybase.io. Below we demonstrate using Keybase.io PGP ID with Git with the keybase.io client.

Setup GPG on the laptop:

Linux: apt install gnupg
macOS: brew install gnupg
Windows: Kleopatra GPG binary install.

Export Keybase.io public & private key and import into GPG:

keybase pgp export | gpg --import

keybase pgp export --secret | gpg --pinentry-mode=loopback --allow-secret-key --import

If old GnuPG, may need to omit option --pinentry-mode=loopback

The GPG signature is password protected, distinct from the Keybase.io account password.

Verify PGP key:

gpg --list-secret-keys --keyid-format LONG

The first lines will be like:

sec   rsa4096/05F2BD2A525007DF

The hexadecimal part after the / is a public reference to keybase.io keypair. It’s shown on the keybase.io public profile, next to the key icon.

Add Git provider such as GitHub or GitLab verified email address to the PGP key. To make commits “Verified” with the Git provider, at least one of the Git provider verified email addresses must match:

git config --get user.email

Use the GPG public ID below:

gpg --edit-key 05F2BD2A525007DF

In the interactive GPG session that launches, type

adduid

and enter Name and the Email address–which must exactly match the GitHub verified email address. I also add the @users.noreply.github.com fake email that I always use to avoid spam. Do adduid twice–once for the real GitHub verified email address and again for the github_username@users.noreply.github.com fake email.

Add “trust” from the GPG> prompt:

trust

Since it’s you, perhaps a trust level of 5 is appropriate. type

save

to save changes, which may not show up until exiting and reentering the GPG> prompt.

Configure Git to use Keybase public hex ID as seen next to the key logo on the public Keybase.io profile, as in the example below.

git config --global user.signingkey 05F2BD2A525007DF

git config --global commit.gpgsign true

Add the GPG public key to the Git provider. Copy and paste the output from this command into GPG Key of GitHub or GitLab. This is done only once per human, not once per device.

gpg --armor --export 05F2BD2A525007DF

Windows

On Windows, additionally do

git config --global gpg.program "$Env:ProgramFiles (x86)\GnuPG\bin\gpg.exe"

macOS

On macOS, additionally do

brew install pinentry-mac

and add to ~/.zshrc:

export GPG_TTY=$TTY

Usage

GPG can be used to sign Git commits and tags, and can also be disabled per commit.

Verify Git PGP commit sign

Make a git commit after the procedure above, and see the signature notes:

git log --show-signature

it will start with

gpg: Signature made

Temporary disable Git commit sign

If you temporarily lose access to the GPG password, you won’t be able to git commit. A temporary workaround is to set

git config commit.gpgsign false

or simply add the --no-gpg-sign option like:

git commit -am "msg" --no-gpg-sign

If not signing as default, sign only certain commits by

git commit -S

Note that’s a capital “S”.