GPG Signing for GitHub: Ensuring Secure and Verified Commits

on

I was trying to make a commit from local and push the changes, but I was getting the below error which did not allow me to commit/push:

error: gpg failed to sign the data

fatal: failed to write commit object

I was trying to resolve this and understood how to do it and why to do it. Here it goes.

In Git, it does not verify the identity of the person who is making the commit. So, in order to not get impersonated, GPG signing is used as a proof that the owner is making the commit with a specified GPG key.

GPG signing benefits are:

  • Authentication: confirming the commit author

  • Integrity: detects any changes after commit

  • Trust and security: open source projects used in organizations

  • Prevention: prevents unverified code/doc from entering organizational production

Here are the technical details:

Check if you have GPG installed on your machine
Mine is Windows, and I have installed GPG from the official website:
https://www.gpg4win.org/download.html
Verify it using:
gpg --version

Generate a new GPG key
gpg --full-generate-key

  • Key type: RSA and RSA

  • Key size: 4096 bits

  • Expiration: choose according to your preference

  • Email: must match your GitHub email

List your keys:
gpg --list-secret-keys --keyid-format=long

Copy the key ID for the newly generated key.

Configure Git to use the GPG key
git config --global user.signingkey <keyid>

git config --global commit.gpgsign true

Add GPG key to GitHub
First, export the public key:
gpg --armor --export ABCDEF1234567890

(I have used a sample key ID above.)
Copy the output.
Go to GitHub → Settings → SSH and GPG keys → New GPG key, paste the key, and save.

Verify from your local machine
git commit -S -m "My secure commit"

git log --show-signature


Troubleshooting
In case you still see issues, check if signing key is set:
git config --global --get commit.gpgsign

git config --global user.signingkey


Please review the above document and let me know if you notice any issues or corrections. I have followed this approach successfully myself, but I would love to hear about any challenges or issues others might have encountered.



Comments

Post a Comment