In this tutorial I will describe how you can use Git to sign commits with an OpenPGP key. With this you can simply confirm that you really are the author. The commit is then displayed as signed on e.g. GitHub.
I’m going to assume that you’ve already created an OpenPGP key. Otherwise you can search the net for instructions, or get what you need from my tutorial on Nitrokey Pro 2.
Determine OpenPGP public key
In the console we can display the existing keys with the following command:
gpg --keyid-format long --list-keys
This should show you all available keys:
pub rsa2048/AA10842DB9E8432A 2019-05-29 [SC]
BF63605C4D5AF4F03D2E05CDAA10842DB9E8432A
uid [ ultimativ ] John Doe <john.doe@example.org>
sub rsa2048/FAE183B64746EEEE 2019-05-29 [E]
Copy the KeyID, in my case it would be “AA10842DB9E8432A”. Now we issue the public key with the following command, where you have to enter your KeyID:
gpg --armor --export AA10842DB9E8432A
Now copy the output completely and go to GitHub in the user settings under “SSH / GPG key”. There you add a new GPG key and copy the published publish key into the corresponding field. On the Gitea side we are now done with that.
Configure Git
In order for Git to sign the commits, we need to make a few settings on the user system. You can tell Git which key to use with the following command:
git config --global user.signingkey AA10842DB9E8432A
Here you have to enter your KeyID again. If you want to automatically sign all commits, you have to run the following command:
git config --global commit.gpgsign true
And finally:
echo 'export GPG_TTY=$(tty)' >> ~/.profile
source ~/.profile
Now you can start signing commits (if not automatically):
git commit -S -m TEXT
git push
If everything worked, you should see the commit as signed on GitHub.
