Setting up Verified Commits on GitHub

Reading Time: 3 minutes
Verified Commits

In the wake of the COVID-19 pandemic almost all IT organizations are experimenting with allowing their employees to work from home. But at the same time are concerned about the security aspects that come with it. One aspect of security is authorization with respect to version control and the case of stolen identity.

The Problem

Git keeps track of several pieces of information including, but not limited to, the time and the author of the commit. This information is usually read from the Git configuration files. The default configuration looks something like the one below.

git config --list

However, this also means anyone can set their user configuration to masquerade as someone else. For example, a malicious party can commit an insecurity into one of a public project that I contribute to using my name and email. This can create a number of problems!!

We can deal with this problem by using Git’s ability that allows us  to sign our commits using a GNU Privacy Guard (GPG) key. GitHub will verify these signatures so other people will know that your commits come from a trusted source.

How does this GPG verification work anyway?

A GPG key pair consists of a private and public key. When commit the private key can be used to sign the commits, the public key can be associated with GitHub. When GitHub sees a commit signed using this GPG key, it’ll use the public key you provided to decrypt the data; if the data makes sense, then GitHub verifies the committer as you. Since no one knows your GPG private key, they can’t sign the commit with it. So, total verification! Yay!

Let’s set up GPG verification!!

Installation

The first things that we need to do is download the tools. I’m going to use gpg2 for this exercise. I’m using homebrew for this.

brew install gpg2

Generating a new key

Run gpg --gen-key and follow the wizard. At the minimum, it’s going to ask your Name and email address(The one that you are going to use with GitHub).

Generating a gpg key

After you are done providing the information that is required to construct a user Id, the wizard is going to prompt for a passphrase.

Passphrase window

The wizard then generates a lot of random bytes during the prime generation. To list the generated key use the gpg --list-secret-keys --keyid-format LONG command. It should return something like this.

/home/username/.gnupg/secring.gpg
------------------------------- 
sec 4096R/<COPY_LONG_KEY> 2020-05-11 [expires: 2020-05-11]
uid                       User Name <user.name@email.com>
ssb 4096R/62E5B29EEA7145E 2020-05-11

Save your <COPY_LONG_KEY> and export it to a text file using the following command.

gpg --armor --export  5438A3DF737FF608 > gpg-key.txt

Now, go to github.com/settings/keys, click on the ‘New GPG key’ button and add the contents of gpg-key.txt there.

Configure the Git Client

Now set you key as a global Git configuration, and tell Git to use that key to sign every commit under this user account by running the following command.

git config --global user.signingkey <PASTE_LONG_KEY_HERE>
git config --global commit.gpgsign true

This is it! You are all set up, the next time you commit anything gpg will ask you the passphrase and all your commits will be auto signed.

**Note**: Depending on the OS that you use. You may have to set GPG_TTY. Set it by running export GPG_TTY=$(tty)

References:

https://git-scm.com/docs

Knoldus-blog-footer-image