-
Download GPG (GPG Binary releases) and
*.sig
file.- Windows: GnuPG simple installer (CLI tools)
-
Import GnuPG public keys with verified
gpg
binary.- Use
gpg
that comes with Git installation fromGit Bash
where gpg gpg --version
- Go to GnuPG public keys reference page and keep it open.
- Copy public key block and save it under
*.asc
file - Import GnuPG public keys
gpg --import gnugp.asc
- Verify that keys are imported. Notice they are initially untrusted.
gpg --list-keys --keyid-format LONG
- Note the
key-id
that identifies key on the current environment
pub rsa2048/249B39D24F25E3B6 2011-01-12 [SC] [expires: 2021-12-31]
- Verify that imported keys matches keys on the GnuPG public keys reference page. Trust each key by using following command. Use ultimate trust.
gpg --edit-key {key-id} trust
- Verify that GnuPG keys are trusted (expired ones won't show the ultimate trust flag)
$ gpg --list-keys --keyid-format LONG pub rsa2048/249B39D24F25E3B6 2011-01-12 [SC] [expires: 2021-12-31] D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 uid [ultimate] Werner Koch (dist sig) pub rsa2048/2071B08A33BD3F06 2014-10-29 [SC] [expired: 2020-10-30] 031EC2536E580D8EA286A9F22071B08A33BD3F06 uid [ expired] NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org> pub rsa3072/BCEF7E294B092E28 2017-03-17 [SC] [expires: 2027-03-15] 5B80C5754298F0CB55D8ED6ABCEF7E294B092E28 uid [ultimate] Andre Heinecke (Release Signing Key) pub ed25519/528897B826403ADA 2020-08-24 [SC] [expires: 2030-06-30] 6DAA6E64A76D2840571B4902528897B826403ADA uid [ultimate] Werner Koch (dist signing 2020)
- Use
-
Verify installation package. Read Integrity check by GnuPG team. If previous steps was done correctly, similar message should be displayed, otherwise refer to the aforementioned Integrity check.
gpg: Signature made 07-04-2021 20:06:23 Central European Daylight Time gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA gpg: Good signature from "Werner Koch (dist signing 2020)" [ultimate]
-
Install
gpg
.
- Open Windows command prompt and configure new installation.
- Verify version and location of
gpg
where gpg gpg --version
- If
gpg
report with language different that English set environment variable LANG=C. Restart command prompt. - Import GnuPG keys as described before. Ensure they are trusted.
Create GPG key for Git signing. When key is purposed to be used on a Github follow latest instructions.
gpg --full-generate-key
- Validate - if Git Bash is still using its own keyring, new key should be visible only on command prompt. Run listing command in both command prompt and bash shell.
gpg --list-keys
- Append path to the
gpg
in the{SYSTEMDRIVE}/Users/{PROFILE}/.bash_profile
(create file if needed)alias gpg="'C:\Program Files (x86)\gnupg\bin\gpg.exe'"
- Restart Git Bash to apply changes.
- Add following config changes globaly. Setting
commit.gpgsign
totrue
enables signing each commit by default. Without this each commit would have to be implicitly marked to be signed with-S
flag (ex.commit -S -m "Add new file"
)git config --global gpg.program {PATH_TO_GPG} git config --global user.signingkey {KEY_ID} git config --global commit.gpgsign true
- Depending on the preferences, default behaviour for annotated tags can be changed by modyfing following config.
git config --global tag.forceSignAnnotated true
- Create temporary repository.
mkdir test-repo cd test-repo git init
- Add empty commit and verify that you are prompted for the GPG key passphrase.
git commit --allow-empty -m "Signed commit"
- Sign can be verified using following methods.
$ git verify-commit 64796ee gpg: Signature made 14-04-2021 10:00:09 Central European Daylight Time gpg: using RSA key 551760C1C76669F30FEFCDAF59DCC37EB7307329 gpg: Good signature from "Kamil Gierach-Pacanek (Git signing key) <****@******.com>" [ultimate]
$ git show --show-signature 64796ee commit 64796eeea6be5742828f5269a35585c98f02d3c2 (HEAD -> master) gpg: Signature made 14-04-2021 10:00:09 Central European Daylight Time gpg: using RSA key 551760C1C76669F30FEFCDAF59DCC37EB7307329 gpg: Good signature from "Kamil Gierach-Pacanek (Git signing key) <****@******.com>" [ultimate] Author: Kamil Gierach-Pacanek <****@******.com> Date: Wed Apr 14 09:59:52 2021 +0200 Signed commit
In case following error occurs during the commit phase:
gpg: can't connect to the agent: IPC connect call failed
gpg: keydb_search failed: No agent running
gpg: skipped "34A91BE1A93DDAF6": No agent running
gpg: signing failed: No agent running
error: gpg failed to sign the data
fatal: failed to write commit object
Run following command to reload the agents.
gpgconf --kill gpg-agent gpg-connect-agent reloadagent /bye