GPG signing git commits
GNU Privacy Guard (GnuPG or GPG) is the free and open source implementation of the OpenPGP protocol, that allows you to encrypt and sign your data and communication.
In the context of git, this allows users to verify that data is coming from a trusted source.
This article will cover how to setup GPG and configure it to sign your git commits.
Generating your own GPG key
Keys can be generated either from the command line or by leveraging GUI applications.
The command line tool for GPG should come installed by default on Ubuntu. However if it’s not provided you should be able to install it by running:
sudo apt install gnupg
To generate a key run the below command and follow the on screen instructions.
gpg --gen-key
Like with SSH keys it’s recommended to use a passphrase to add an extra layer of security.
Once setup you can list the keys registered.
gpg --list-keys
If you want to modify an existing key run
gpg --edit-key <id>
where <id> is replace with your ID that is displayed after key creation creation or when calling the list command.
Useful tools
- Seahorse - GNOME application for managing encryption keys
- GNU Privacy Assistant (GPA) - GUI for the GnuPG
- OpenPGP Applet - GNOME application for easy signing/decrypting messages
- Mailvelope - Chrome extension for signing/decrypting emails
Usage within git
To configure commit signing on a single commit provide the -S flag. e.g.
git commit -S -m 'Your message here'
Alternatively this can either be configured on an repository level by
git config commit.gpgsign true
or globally by running
git config --global commit.gpgsign true