Commit Signing with GPG
What is Commit Signing?
In Git, you may commit using any name and email address. However, Git supports signing commits and tags using a GPG key pair.
By signing a commit, other users with your public key can verify the commit was created by the owner of that key. Users can also share their public key with their remote hosting service, such as GitHub, so that commits appear as verified on their website.
Commit Signing Requirements
Before you start signing your commits, you will first need to install and configure GPG. GPG download files can be found here. Our recommendations to get GPG installed quickly are below.
Note: If you have GitKraken open, we recommend closing the application before installing GPG.
Windows: Gpg4win, simply follow the installer.
Mac: We recommend downloading GPG on Mac through Brew. Once you have brew, simply run
brew install gpg.
Linux: Install gpg through your distribution’s package manager.
apt install gnupg
dnf install gnupg2
yum install gnupg2
Once you have installed GPG to your machine, you can verify it is installed and check the version by opening your terminal and running
Note: You may need to replace `gpg` with `gpg2` if you installed GPG2 without an alias. If you have both gpg and gpg2, you will need to prefix with gpg2 if you wish to use the latter.
Generating a GPG Key In GitKraken
If you have GPG installed on your local machine, you will be able to generate a GPG key pair from within GitKraken.
Note: Make sure that you have configured GPG inside of GitKraken.
GPG Preferences, there is an option to
Generate new GPG Key. If you wish to enter a passphrase, make sure you do so prior to selecting
Configure GPG in GitKraken
Once you have GPG installed on your machine, you will need to configure GitKraken to use GPG. Launch GitKraken and navigate to Preferences → GPG Preferences.
Signing Key: This dropdown list will contain all of your local keys. Select the key you wish GitKraken to use when signing your commits and tags. If this list is blank you can try the following troubleshoots:
- You may need to configure the GPG Program setting first.
- If you installed GPG while GitKraken was open, you may need to fully close GitKraken and re-launch it.
GPG Program: This is the location of where GPG is installed on your local machine. If GPG is on your path, GitKraken should automatically detect the GPG program. However, it is possible to have multiple installations of GPG so you can specify which one GitKraken should point to by using the button.
If you do not know where GPG is installed on your local machine, launch a terminal and enter:
which gpg for Mac & Linux. On Windows, use:
Sign Commits by Default: Enabling this checkbox will have GitKraken sign any commit you create going forward.
Sign Tags by Default: Enabling this checkbox will have GitKraken sign any tags you create going forward.
Generate new GPG Key: GitKraken will generate a new GPG key for you, see Generating a GPG Key In GitKraken.
Verifying a Local Commit is Signed
You can verify a commit has been signed by selecting a commit and viewing the commit panel. An icon will appear to the left of the commit SHA on signed commits only.
If you hover over the badge, you will see a tooltip which displays the Signature details.
Below is a list of possible signature codes and what they mean:
GOODSIG-- The signature with the keyid is good.
EXPSIG-- The signature with the keyid is good, but the signature is expired.
EXPKEYSIG-- The signature with the keyid is good, but the signature was made by an expired key.
REVKEYSIG-- The signature with the keyid is good, but the signature was made by a revoked key.
BADSIG-- The signature with the keyid has not been verified.
ERRSIG-- It was not possible to check the signature. This may be caused by a missing public key or an unsupported algorithm.
Uploading Your GPG Key to a Remote Hosting Service
To upload your GPG public key to your remote hosting service, we recommend viewing the documentation for the respective hosting service:
To copy your GPG public key in GitKraken, navigate to Preferences → GPG Preferences and below your Signing Key, select
Copy GPG Public Key.
Editing Your GPG Key
Editing your gpg key is helpful when you wish to add another email address to a key or renew an expired key. To edit a GPG key, navigate to your terminal and enter
gpg --list-secret-keys --keyid-format LONG. This command will output a list of your GPG keys, take note of the ID of the key you wish to edit.
Now that you have the key ID, you can edit the key. To do so enter
gpg --edit-key FFFFFF where
FFFFFF is your key ID. You will then enter an editing session with your GPG key.
Below is a list of useful commands to edit your key:
adduid- Add a new user ID to the GPG key
deluid- Delete a user ID from the GPG key
trust- Change the owner trust value. This updates the trust database immediately and no save is required.
expire- Change a key expiration time
save- Save all changes to the current key and quit
quit- Quit without updating the current key
For a complete list you can review GNU’s documentation.
Deleting your GPG Key
You can delete your key via terminal with the command
gpg --delete-secret-keys simply append your username or key ID.
There will be several prompts to make sure that you really want to delete your GPG key: