Quick setup GitHub Keybase.io PGP signed/verified commit

With recent cybersecurity scandals over user modules written in Python and other languages, it’s past time to employ signed/verified commits at GitHub. PGP IDs can be readily tied between GitHub, online personality at Twitter, website, etc. via the free Keybase.io service. (contact me for a Keybase.io invite if needed).

This process assume an existing Keybase.io ID.

  1. Install the keybase.io client on laptop.
  2. Import Keybase public key into GPG:
   keybase pgp export | gpg --import
   
  1. Import the Keybase private key into GPG:
   keybase pgp export --secret | gpg --allow-secret-key --import
   
  1. verify:
    gpg --list-secret-keys --keyid-format LONG
   

one of the first lines will be like:

   sec   rsa4096/05F2BD2A525007DF
   

copy the hexadecimal part after the /. This is a public reference to keybase.io keypair. It’s shown on the keybase.io public profile, next to the key icon. 5. add one or more GitHub verified emails. At least one of these GitHub verified email address MUST match the [user] email in ~/.gitconfig or Unverified warnings appear on GitHub commits! For this example I use my GPG public ID–you use yours.

   gpg --edit-key 05F2BD2A525007DF
   

this starts an interactive GPG session. Type

   adduid
   

and enter Name and the Email address–which must exactly match the GitHub verified email address. I also add the @users.noreply.github.com fake email that I always use to avoid spam. Do adduid twice–once for the real GitHub verified email address and again for the github_username@users.noreply.github.com fake email. 6. add “trust” from the GPG> prompt:

   trust
   

Since it’s you, perhaps a trust level of 5 is appropriate. type

   save
   

to save changes, which may not show up until exiting and reentering the GPG> prompt. 7. Configure Git to use this key (after exiting GPG> prompt)

   git config --global user.signingkey 05F2BD2A525007DF
    
   git config --global commit.gpgsign true
   

check ~/.gitconfig to see entries under [user] signingkey and [commit] gpgsign 8. Add the GPG public key to GitHub–copy and paste the output from this command into the GitHub New GPG Key

   gpg --armor --export 05F2BD2A525007DF
   

Verify

Make a git commit after the procedure above, and see the signature notes:

git log --show-signature

it will start with

gpg: Signature made

Temporary disable signing

If you temporarily lose access to your GPG password, you won’t be able to git commit. A temporary workaround is to edit ~/.gitconfig to have

[commit]
    gpgsign = false

Alternatively, if you prefer not signing as default, you can sign only certain commits by

git commit -S

Note that’s a capital S.

Notes

reference 1