Git Generate Gpg Key Comment

Learning has never been so easy!
  1. Git Gpg No Secret Key

$ git merge -verify-signatures -S signed-branch Commit 13ad65e has a good GPG signature by Scott Chacon (Git signing key) You need a passphrase to unlock the secret key for user: 'Scott Chacon (Git signing key) ' 2048-bit RSA key, ID 0A46826A, created 2014-06-04 Merge made by the 'recursive' strategy.

Working on many projects across multiple identities can be difficult to manage. This is a procedure for leveraging git aliases to set an identity at the project level.

7 Steps total

Step 1: First, Remove Existing Global Identity

```
git config --global --unset user.name
git config --global --unset user.email
git config --global --unset user.signingkey
```

Step 2: Require config to exist in order to make commits

Without the global user name and user email, git would use the system's hostname and username to make commits. Tell git to throw an error instead, requiring you to specify an identity for every new project.

```
git config --global user.useConfigOnly true
```

Step 3: For each identity, generate GPG keys

Generate a GPG public/private key pair:
```
gpg --full-gen-key
```
Choose (1) RSA and RSA (default) key type. Choose key size of 4096 bits. Set the key to not expire (0) unless you want to repeat this step periodically. Finally, set your name and email address. Comment can be left blank.

Once the key pair is generated we need to export the public key.

Step 4: Export the public keys

_For each identity_, export the public key:

```shell
gpg --list-secret-keys --keyid-format LONG [email protected]
```

where `[email protected]` is the email address of the identity you just created.

Gpg

This will output a `sec` ID in the format of `rsa4096/[serial]`. Copy the serial number, then run this command to output the public key:

```shell
gpg --armor --export [serial]
```

Copy the public key block and add it to your Github or Gitlab settings. With the public key, Github and Gitlab can cryptographically verify your commits, placing a 'Verified' label next to each.

Step 5: Set Global Git Config Identities

Now we need to create the identities in git's global config. For example:

```shell
git config --global user.gitlab.name 'Your Name'
git config --global user.gitlab.email '[email protected]'
git config --global user.gitlab.signingkey 543166183AE7043A
git config --global user.github.name 'Your Name'
git config --global user.github.email '[email protected]'
git config --global user.github.signingkey BCF8B7A8C138D16B
git config --global user.identity3.name 'Your Name'
git config --global user.identity3.email '[email protected]'
git config --global user.identity3.signingkey 4F3FFC37B1A027BD
git config --global user.identity4.name 'Your Name'
git config --global user.identity4.email '[email protected]'
git config --global user.identity4.signingkey D921F8BA473CF1FC
```

Step 6: Create Git Alias

Setting a git alias will give us a new git command to use to set the identity at a project level. This really is just a script that sets a particular global identity to the local config.

```
git config --global alias.identity '! git config user.name '$(git config user.$1.name)'; git config user.email '$(git config user.$1.email)'; git config user.signingkey '$(git config user.$1.signingkey)'; :'
```

Step 7: Specify Git Identity

```
$ cd /path/to/git/repo
$ git config user.email # should be no response
$ git config user.github.email
[email protected]
$ git identity github
$ git config user.email
[email protected]
```

Published: Mar 24, 2020 ยท Last Updated: Mar 06, 2020

References

  • Gitlab: Signing Commits with GPG
  • Stack Overflow: Can I Specify Multiple Users for Myself in Git Config
  • This post on my personal blog

Git Gpg No Secret Key

0 Comments

Introduced in GitLab 9.5.

GitLab can show whether a commit is verified or not when signed with a GPG key.All you need to do is upload the public GPG key in your profile settings.

GPG verified tags are not supported yet.

Getting started with GPG

Here are a few guides to get you started with GPG:

  • Creating a new GPG key with subkeys (advanced)

How GitLab handles GPG

GitLab uses its own keyring to verify the GPG signature. It does not access anypublic key server.

In order to have a commit verified on GitLab the corresponding public key needsto be uploaded to GitLab. For a signature to be verified three conditions needto be met:

  1. The public key needs to be added your GitLab account
  2. One of the emails in the GPG key matches a verified email address you use in GitLab
  3. The committer's email matches the verified email from the gpg key

Generating a GPG key

Notes:

  • If your Operating System has gpg2 installed, replace gpg with gpg2 inthe following commands.
  • If Git is using gpg and you get errors like secret key not available orgpg: signing failed: secret key not available, run the following command tochange to gpg2:git config --global gpg.program gpg2

If you don't already have a GPG key, the following steps will help you getstarted:

  1. Install GPG for your operating system
  2. Generate the private/public key pair with the following command:

    This will spawn a series of questions.

  3. The first question is which algorithm can be used. Select the kind you wantor press Enter to choose the default (RSA and RSA):

  4. The next question is key length. We recommend to choose the highest valuewhich is 4096:

  5. Next, you need to specify the validity period of your key. This is somethingsubjective, and you can use the default value which is to never expire:

  6. Confirm that the answers you gave were correct by typing y:

  7. Enter you real name, the email address to be associated with this key (shouldmatch a verified email address you use in GitLab) and an optional comment(press Enter to skip):

  8. Pick a strong password when asked and type it twice to confirm.

  9. Use the following command to list the private GPG key you just created:

    Replace [email protected] with the email address you entered above.

  10. Copy the GPG key ID that starts with sec. In the following example, that's30F2B65B9246B6CA:

  11. Export the public key of that ID (replace your key ID from the previous step):

  12. Finally, copy the public key and add it in your profile settings

Adding a GPG key to your account

Note:Once you add a key, you cannot edit it, only remove it. In case the pastedidn't work, you'll have to remove the offending key and re-add it.

You can add a GPG key in your profile's settings:

  1. On the upper right corner, click on your avatar and go to your Settings.

  2. Navigate to the GPG keys tab and paste your public key in the 'Key'box.

  3. Finally, click on Add key to add it to GitLab. You will be able to seeits fingerprint, the corresponding email address and creation date.

Associating your GPG key with Git

After you have created your GPG key and added it toyour account, it's time to tell Git whichkey to use.

  1. Use the following command to list the private GPG key you just created:

    Replace [email protected] with the email address you entered above.

  2. Copy the GPG key ID that starts with sec. In the following example, that's30F2B65B9246B6CA:

  3. Tell Git to use that key to sign the commits:

    Replace 30F2B65B9246B6CA with your GPG key ID.

Signing commits

After you have created your GPG key and added it toyour account, you can start signing yourcommits:

  1. Commit like you used to, the only difference is the addition of the -S flag:

  2. Enter the passphrase of your GPG key when asked.

  3. Push to GitLab and check that your commits are verified.

If you don't want to type the -S flag every time you commit, you can tell Gitto sign your commits automatically:

Verifying commits

  1. Within a project or merge request, navigate tothe Commits tab. Signed commits will show a badge containing either'Verified' or 'Unverified', depending on the verification status of the GPGsignature.

  2. By clicking on the GPG badge, details of the signature are displayed.

Revoking a GPG key

Revoking a key unverifies already signed commits. Commits that wereverified by using this key will change to an unverified state. Future commitswill also stay unverified once you revoke this key. This action should be usedin case your key has been compromised.

To revoke a GPG key:

  1. On the upper right corner, click on your avatar and go to your Settings.
  2. Navigate to the GPG keys tab.
  3. Click on Revoke besides the GPG key you want to delete.

Removing a GPG key

Removing a key does not unverify already signed commits. Commits that wereverified by using this key will stay verified. Only unpushed commits will stayunverified once you remove this key. To unverify already signed commits, you needto revoke the associated GPG key from your account.

To remove a GPG key from your account:

  1. On the upper right corner, click on your avatar and go to your Settings.
  2. Navigate to the GPG keys tab.
  3. Click on the trash icon besides the GPG key you want to delete.