Posted: 3 minute read

Only some commits were 'verified'
Only some commits were “verified”

I’ve been committing on Git a lot lately and I’ve been uploading those commits to GitHub. At the same time, I’ve been doing some changes in the repository directly on GitHub and I noticed that the commits that I’ve done in GitHub itself were verified, but the ones that I was uploading from my computer were not. So, I decided to investigated how to “verify” the commits I upload from my computer. Turns out, that GitHub —and I suppose the rest of the online repositories— and Git are able to sign with a PGP key the commits you make to verify your identity against other people. It’s a way to be sure you, and only you, are the one that are committing, thus responsible for the things are doing.

If you what to set up the PGP signing is pretty easy in principle, but could have some caveats. To be honest, I struggled with it on the beginning and every time I committed after I set if up in the beginning I got the following message:

error: gpg failed to sign the data
fatal: failed to write commit object
Verified Signature in GitHub
Verified Signature in GitHub

You can check the knowledge base that GitHub has about the topic here. However, I found that some of the topics are perhaps a little bit outdated and doesn’t give you clear directions about how you can really do it. I also checked this sources to get my solution post:

How I’ve done it

First of all, you need to install pinentry for mac. I’ve installed all of them using homebrew.

brew install gpg gpg-agent pinentry-mac 

Now, you need to created a PGP key runnnig the command:

gpg --full-generate-key

You can do it also with:

gpg --gen-key 

However, if you do like the latter command is not going to give you the option to change the key size, as suggested by GitHub.

Answer all the prompted questions and be specially careful with your email since GitHub is going to recognize you by your verify email. You can also create a comment to identify the key e.g. GitHut Key. Finally create a passphrase that you can remember, or note down in a password manager.

Now, you can have to list all your keys with the command:

gpg --list-secret-keys --keyid-format LONG

sec   rsa4096/<YOUR_LONG_KEY_ID> 2017-11-04 [SC]
uid                 [ultimate] Your Name (GitHub Key) <>
ssb   rsa4096/62E5B29EEA7145E 2017-11-04 [E]

You have to copy to your clipboard <YOUR_LONG_KEY_ID> , with is your key id, and paste in the following commands to configure you Git with your key.

git config --global user.signingKey <YOUR_LONG_KEY_ID>
git config --global commit.gpgsign true

You can certainly not pass the command

git config --global commit.gpgsign true

that configures your Git to always sign your commits with your signature and sign just certain commits with adding the flag pinentry .

You also need to copy your long key id again to get your PGP key with the following command.

gpg --armor --export <YOUR_LONG_KEY>

Which print you full GPG key, beginning with ——BEGIN PGP PUBLIC KEY BLOCK—— and ending with ——END PGP PUBLIC KEY BLOCK—— . Copy it and now you can paste it on your GitHub following this instructions.

Now, to make it work you need to config pinentry for mac as your dialog to enter your passphrase. To do that you have to use the following command to write pinentry-program /usr/local/bin/pinentry-mac in gpg agent config file.

echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf

You can also do it manually.

open ~/.gnupg/gpg-agent.conf

Finally, you need to restart the gpg agent doing the following. This is really important and it’s was one of the reason because I took me so long to finally configure Git with the PGP. Since I haven’t restarted the gpg-agent it hasn’t pick up the configuration.

gpgconf --kill gpg-agent

It’s done!

I recommend you to test it doing a test commit. First time it should to prompt you with a dialog like this

pinentry prompt
pinentry prompt

Where, if you tick save in keychain , it isn’t going to prompt you again.

Note that if you want to sign commits outside of the shell, not all the apps can sign commits. With my setup I’ve tried Tower and GitHub Desktop and they are able to sign without any problem. Keep in mind that I’ve committed first in the shell and then I’ve clicked save in keychain so I don’t know how is going to behave the first time you commit and you haven’t ticked that option or if it’s the first time you sign a commit. In case you had problems with Tower, there are a couple of tutorials out there including Tower:

Enjoy your Git!

Note: I’ve follow this setup in Mac OS X El Capitan 10.11.6 and with Git 2.15.

Leave a comment