How to Sign Commits with GPG

If you your commits are not signed, then anyone can impersonate you. A malicious internal user can spoof commits by just updating their git config name + email, and the local accounts username, and then committing + pushing potentially malicious or obfuscated code.

The solution is to use verified commits, by signing them with your GPG key.

For a commit to be verified, it must:

  • Be signed with a valid GPG key
  • The committerโ€™s public key must have been uploaded to their GitLab account
  • Your Git config email must match one of the verified emails on your GitLab account
  • Your GPG key's email must match one of the verified emails on your GitLab account

How-To Sign Commits with GPG

Generate a Key

If you haven't already got it installed, you'll need GnuPG. For Windows there is the GPG4Win bundle, for MacOS the easiest tool is the GPG Tools GUI along with brew install gpg, and for Linux use your package manager to install gnupg, or use a GUI of your choice. For more info, take a look at GnuPG.

To generate a GPG key pair, either use the GUI tool, or run: gpg --full-gen-key.

When prompted, select 4096-bit, enter your Galaxy email address (or the verified email on your GitLab account) and choose a strong password. Select an expiry date, such as 2 years (you can extend this further later).

Once your key is generated, export it, and keep a backup somewhere safe.

Exporting Public Key

Once your GPG key-pair is generated, you'll need to export your public key to GitLab.
Run: gpg --list-secret-keys --keyid-format LONG <you>@galaxydigital.io

You should get an output like this:

sec   rsa4096/3D0EA6XXXXXXXXED 2021-10-06 [SC] [expires: 2025-10-06]
      CFA96DCFB770DFE56A815C2C3D0EA672EE9945ED
uid                 [ultimate] Alicia Sykes (Work key, Galaxy) <alicia.sykes@galaxydigital.io>
ssb   rsa4096/28E302XXXXXXXXF8 2021-10-06 [E] [expires: 2022-10-06]

Using the sec part of the output, you can then export your full armoured public key, with gpg --armor --export [key ID]. For example, using the above output, you'd run: gpg --armor --export 3D0EA6XXXXXXXXED, and copy the result to your clipboard.

Adding to GitLab

Next you'll need to add this key to your GitLab account, so go ahead and login.

The head over to user settings (click your avatar, in the top-right corner, then Settings). On the sidebar you should see an option called GPG Keys.

Click Add New Key, and in the big empty input field paste in your public key (the output from the previous step)

Associate your Git Config with your GPG Key

There's one last step, and that is to add your GPG public key to the signingkey attribute of your git config.
Using the sec output from above, run git config --global user.signingkey [key ID]
For example: git config --global user.signingkey 3D0EA6XXXXXXXXED

Signing Commits

Now that's everything's all setup, you can now commit signed and verified code. Just append the -S flag to your git commits. For example: git commit -S -m "Broke everything.". If you ever forget to sign your previous commit, just run git commit -S --amend

You can also set your git config to always sign commits by default, with: git config --global commit.gpgsign true

Note, if you get errors you may need to specify your git config to use gpg2 rather than gpg, run git config --global gpg.program gpg2

Further Links / Documentation