Runar Ovesen Hjerpbakk

Programmer. Software Architect. Technical Manager.

Signing commits using GitHub Desktop on macOS

This morning I got inspired by Phil Haack’s post on proving the identity of package authors. How can you know people are who they say they are online? A step of the way is a social proof, that is you link your identity on many different services together, thus increasing the certainty that you are you for every service added.

The place to tie these identities together is Keybase.io.

So not only did I install and join Keybase, I decided to begin signing my Git commits with my PGP-key. Signed commits on GitHub gets a nice Verified badge when the key used to sign the commit matches that registered on the given user’s profile.

This increases the public’s confidence that the commit was indeed submitted by the actual person, and when this again can be verified on services like Keybase we’re almost there.

Setup commit signing

The following is a guide to setup automatic signing of commits on macOS. It even works with the GitHub Desktop app!

Install GPG Keychain from GPG Suite

Install GPG Suite, you can safely do a customized install and deselect GPGMail which you do not need.

Install Keybase and create a PGP key

The UI is intuitive and creating a PGP key should be easy. Remember to include the email address you also use on GitHub. This is the key you’ll use to sign your commits.

Import your key locally from Keybase

Visit your Keybase profile and copy the key identifier, mine is D0EF4E5CC7F16087, and use this in the following commands.

First import your public key:

keybase pgp export -q D0EF4E5CC7F16087 | gpg --import

And then import your private key:

keybase pgp export -q D0EF4E5CC7F16087 --secret | gpg --allow-secret-key-import --import

Make GitHub aware of your key

Put your GPG key on the pasteboard:

keybase pgp export -q D0EF4E5CC7F16087 | pbcopy

Open https://github.com/settings/keys, press New GPG Key and paste your key in the key textbox.

Configure Git to automatically sign your commits

Git is configured using a .gitconfig-file. We do not need to edit this file manually but can use a couple of git config commands to achieve what we want.

First, set gpg2 from the GPG Suite as your gpg.progam:

git config --global gpg.program /usr/local/MacGPG2/bin/gpg2

Then you find the ID of the key which you’ll use to sign your commits:

gpg --list-secret-keys

The item starting with sec contains the key ID you need. In the following command, replace 5FD93755 with the key ID from the previous command:

git config --global user.signingkey 5FD93755

Finally, tell Git to sign your commits:

git config --global commit.gpgsign true

From now on, every time you do a commit using the git commit command, GitHub Desktop or any other Git-app, the commit will be signed with your personal key. This key is known to GitHub which will mark your commits as Verified and anybody can look you up on Keybase to see that the commit indeed came from you.