Signing Git commits and tags
To use the GPG or SSH key to sign Git commits and tags, we need to let Git know about this key. To do this, set the key ID or Public Key Path as the user.signingKey and set commit.gpgSign and tag.gpgSign to true in the .gitconfig file. These options are shown in the following, stripped down, .gitconfig as an example for both GPG and SSH.
Tip
If you're using these dotfiles, make sure to use the ~/.gitconfig.local file.
[commit]
gpgSign = true
[gpg]
format = ssh
[tag]
gpgSign = true
[user]
email = amoore@example.com
signingKey = /Users/AlanMoore/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/PublicKeys/35fee608a4a091553bd6dd91053c347b.pubExample using GPG
[commit]
gpgSign = true
[tag]
gpgSign = true
[user]
email = amoore@example.com
signingKey = 06B4B8C3D53C9037If you're using GitHub, you also need to add the public key there so it can verify the commits and tags. To do this, follow the steps described in the Adding a GPG key to your GitHub account or Adding a new SSH key to your GitHub account page from the GitHub documentation. In short, this boils down the the following steps.
Note
The user.email in your .gitconfig should be the same email as the GPG key. Additionally, this email must be registered on GitHub.
- Go to your user settings.
- In the SSH and GPG keys section, click on New SSH key or New GPG key, depending on whether you're using SSH or GPG for signing.
- In the
Titlefield, enter a recognisable name for the key, e.g.personal MacBook. GitHub also shows the key ID in the GPG keys or fingerprint in the SSH keys overview, so no need to include that in the title. - If you're using an SSH key for Git signing, in the
Key typefield, selectSigning Key. - In the
Keyfield, copy the public key that was exported from Generate your GPG key or Create a new key.