How to sign your git commit?

First thing first, you are supposed to have a digital key. Haven’t you?? Get one! but how? Here is how to create gpg key from command line.

I am assuming( o yeah I can’t help myself about that! thinking of you being smart enough to figure it out), if you haven’t already installed GNUPG yet, read it here about it and take advantage of your OS’s package manager to install the package.

Again, once you set up your gpg key and uploaded it into one of the keyserver and it will sync with other keyservers too.  Mind you, only share your public key, the private key should reside with you.

Heads up! for heaven’s sake please remember the passphrase you enter while creating the key and do not forget to create a revocation certificate too.

Another way, you might start using keybase ,which is quite new, but has promise and will take over GnuPG soon( thinking in that direction). If you want to use it, please let me know, I have a few invites left with me. But please disclose your original identity.

Now, you need to tell git to use your private key to encrypt your commits, but how? Here is what you should do ..read on:

I think this page is very well explained. Give some effort to read it and understand it.

I believe you understood the previous link to gpg signing(again assuming you did!). Once you are properly done with it. You can verify like below :

bhaskar@ArchLinux_17:34:07_Fri Nov 25:~/git-linux/Linux_Infrastructure_Management>git log –show-signature -1
commit a825344b39e962dcf3df91a276cfb53fd57db4dc
gpg: Signature made Sun 20 Nov 2016 04:27:44 PM IST
gpg:                using RSA key B23A9DB7114B2915
gpg: Good signature from “Bhaskar Chowdhury (Musing_with_GNU/Linux!!) <unixbhaskar@gmail.com>” [ultimate]
gpg:                 aka “[jpeg image of size 62428]” [ultimate]
Author: Bhaskar Chowdhury <unixbhaskar@gmail.com>
Date:   Sun Nov 20 16:27:33 2016 +0530

modified few sentences

Signed-off-by: Bhaskar Chowdhury <unixbhaskar@gmail.com>

But hey! how do you sign the commit??  Two ways:

1. You need to pass -S  along the line with the commit command and give the key hash. This is the laborious way to do a thing and soon becomes very cumbersome.

Of course, there is a better way and that is a second way of doing it:

2. You need to put it in the global section of the git config (by doing git config add ) or by placing it in any project-specific way. Like below, I am having this configuration for this project.

bhaskar@ArchLinux_17:41:10_Fri Nov 25:~/git-linux/Linux_Infrastructure_Management>git config –list
user.email=unixbhaskar@gmail.com
user.name=Bhaskar Chowdhury
user.signingkey=**Long hash for key**(hsg23ljfgdrtu456)
push.default=matching
gpg.program=gpg2
commit.gpgsign=true
core.editor=vim
core.abbrev=12
color.ui=true
pretty.fixes=Fixes: %h (“%s”)
log.showsignature=true
alias.logline=log  –pretty=format:’%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset’ –abbrev-commit
core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
remote.origin.url=https://github.com/unixbhaskar/Linux_Infrastructure_Management.git
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
branch.master.remote=origin
branch.master.merge=refs/heads/master

You are good enough to read it through ..aren’t you? By the way, those are git config options, you need to tell git to use it by providing the key value at the git command line, like this :

bhaskar@ArchLinux_17:41:26_Fri Nov 25:~/git-linux/Linux_Infrastructure_Management>git config add user.email unixbhaskar@gmail.com

If you did that with your mail id for the specific project, it can show you the first line of output shown above. Likewise, you need to do that for other options too.

Did you notice there is “singed-off-by“? It can be achieved by using -s (small ess) along the commit message or automating it like other options mentioned above. Why that is there? Because, oftentimes, the committer and the author of the patch are not the same people. Plus for reviewing purposes. So, both author and committer get credit for the submission :).

This post is very rudimentary and assumes the reader is capable enough to do a lot of research.BTW if you have any genuine queries about it , please do let me know.