You can sign your git commits with GPG to cryptographically verify the commit is really from you. I’m not going to cover how to sign a commit with a GPG key, but rather how to make this work with SourceTree (a good, free graphical Git tool). It isn’t quite so straightforward as I found out.

SourceTree doesn’t support code signing out of the box. We need to configure this in the git-bash shell that SourceTree uses behind the scenes. The below steps will detail the process to set this up.

Setup GPG key

Generating a GPG key is quite straightforward, I won’t repeat material that’s found aplenty. Refer to GitHub’s link on how to.

Once done, add the key to Github. We assume here the keys are generated on Ubuntu bash for Windows. Using any other tool like GPG4Win should work just as well.

Identify the Keys

Here’s the meat of this post. First, on the Ubuntu bash for Windows export your GPG keys (both public and private). Find the Key ID first.

gpg --list-keys

The highted area is your key ID. You’ll be using this in sections below keyID image

Export the keys

Export the public key. Replace the text <keyID> with the ID as obtained above gpg --export <keyID> > public.key

Export the private key gpg --export-secret-key -a <keyID> > private.key

Copy the keys to a location on Windows say, C:\

Add exported keys to SourceTree

Open SourceTree and within a repo, open the terminal:

image

This opens git-bash terminal. We need to import the GPG keys here. Navite to the folder where the keys were copied. In git-bash termial, the C:\ drive is mapped as /c so navigate to that folder: cd /c/

See if there are any keys already present here gpg --list-keys

Now import the two keys:

gpg --import public.key

gpg --allow-secret-key-import --import private.key

Configure SourceTree to Sign all requests

Set git to sign all commits with the following command:

git config commit.gpgsign true

Since the git-bash shell was opened within a particular repo, this will add to the config file of that repo only. To instruct git to sign ALL commits globally, add the --global flag to the above command:

git config --global commit.gpgsign true

This will edit the C:\Users\<user>\.gitconfig global file for the Git installation on that machine. Open this config file and you can see the below section added:

[commit]
	gpgsign = true

Note: An easier way would be to just edit the .git\config by hand and add the above section.

Specify GPG Key to use

We now need to specify WHAT key to use to sign (there may be many keys in the GPG keyring). This is done by the git command:

git config user.signingkey <keyID>

As above, you can issue this command local to a repo or globally by adding the --global flag.

The corresponding config file will be edited to add the key (say, <keyID> = 25FA525E)

[user]
	signingkey = 25FA525E

Note: You can add the signingkey on a per repo basis or globally

Test!

Now commit and push using git-bash or SourceTree. You can see that your commits are now “Verified”

image

Reference: GitHub: Signing Commits