You Really Should Be Using Signed Commits on GitHub
Introduction
Security should be paramount in your Software Development Life Cycle (SDLC). Software engineers, developers, programmers, whatever you consider yourself, need to be ever vigilant in all aspects of your code. This article primarily focuses on one particular method of securing your GitHub repository from malicious changes.
Signing commits provides validation of the origin of the commit and verification of the committer. By signing your commits, you can prove code submitted to a GitHub repository came from you and verify it was not altered while transferring it. Signed commits is an important security feature as it protects against an attacker injecting malicious code into a codebase.
When you sign your commits on GitHub, the service automatically adds a badge to each commit. You may have seen a green verified badge in a commit listing.
Install GPG on Windows
We begin by downloading the the GPG command line tools install for Windows. Double-click the installation executable to begin installation:
The installer includes all the command-line and Windows-based application required to manage your encryption keys.
The minimum components for setting up your system for signed commits are Kleopatra (key manager)and GpgEX (shell extension — just convenient). You can install the other components, please note they are not required for our goal of signing our commits.
Set the destination for the installation.
When the installer has completed, Click the Finish button to close the installation dialog.
Generate GPG Key Pair
If you are using version 2.1.17 or greater, using the following command to generate a GPG key pair:
$ gpg --full-generate-key
Accept the default kind of key by pressing Enter:
You will want to change the default key size specifying 4096
bits and pressing enter
.
Specify the length of time the key will be valid. I accepted the default 0, so that my key does not expire.
Type y
then press Enter
Type your name then press Enter
.
Enter your email address and any comment you wish. Finally, you will need to confirm the values you enter, being prompted to change any of your enter values or type O
then press Enter
to confirm.
You will be prompted to enter a password. NOTE: It is vital to remember this password as you will need to enter it each time you commit your code!
Please note the following recommendation from the generator:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
It is a good idea to securely backup your certificate. The generator reveals it’s location in the output of your console e.g.:
gpg: revocation certificate stored as ‘C:/Users/ricar/AppData/Roaming/gnupg/openpgp-revocs.d\54325678CEBF21A9A84176C6999
D06170194FG5G.rev’
The following command can be used to confirm your key pair was generated. Run the following command to get the information required for exporting your key.
$ gpg --list-secret-keys --keyid-format=long
Copy the long form of the GPG key ID of the key you just generated. For example, the GPG key ID is 24FC3G030D1CF8C:
C:/Users/ricar/AppData/Roaming/gnupg/pubring.kbx
------------------------------------------------
sec rsa4096/000D041892945F6G 2021-09-12 [SC]
34341831CE9A841BF21A76000D041892945F6G
uid [ultimate] Your Name <your.email@gmail.com>
ssb rsa4096/24FC3G030D1CF8C 2021-09-12 [E]
Use the following command to export your newly generated GPG key to a text file. For example, this is the command I used to export my key (remove the C:\Temp\gpg.key
and replace with your own file path and filename OR exclude > filepath\filename
to display in the Command window.
$ gpg --armor --export 24FC3G030D1CF8C > C:\Temp\gpg.key
Add Your GPG Key to you GitHub Account
Log into GitHub looking in the upper-right corner once logged in, for your profile photo, clicking Settings in the dropdown menu:
Find and click the SSH and GPG key option on the left-hand navigation:
Click the new GPG key
Copy and paste your public key into the key input:
Configuring Git to Sign Your Commits
Open a Command window.
Use the following command to get the GPG ID you want to use to sign your commits:
gpg --list-secret-keys --keyid-format=long
Copy the long form of the GPG key ID of the key you just generated. For example, the GPG key ID is 24FC3G030D1CF8C:
C:/Users/ricar/AppData/Roaming/gnupg/pubring.kbx
------------------------------------------------
sec rsa4096/000D041892945F6G 2021-09-12 [SC]
34341831CE9A841BF21A76000D041892945F6G
uid [ultimate] Your Name <your.email@gmail.com>
ssb rsa4096/24FC3G030D1CF8C 2021-09-12 [E]
You can set your GPG signing key using the command below, substituting in the GPG key ID 24FC3G030D1CF8C
:
$ git config --global user.signingkey 24FC3G030D1CF8C
Signing Commits
You can configure Git to sign local repository commits by default, iy you are using Git version 2.0 and above.
$ git config commit.gpgsign true
To sign all commits by default in any of your local repositories, use the following command:
$ git config --global commit.gpgsign true
If you use the command line, you can use a -S
flag when commiting your changes:
git commit -S -m "commit message"
In any case, you should be prompted for the password you used when you generated your GPG key.
Happy coding!