Signing commits using GitHub Desktop on macOS
Edit: this is now trivally easy to do using 1Password, read the instructions on their website.
This morning I got inspired by Phil Haack’s post on proving the identity of package authors. How can you know people are who they say they are online? A step of the way is a social proof, that is you link your identity on many different services together, thus increasing the certainty that you are you for every service added.
The place to tie these identities together is Keybase.io.
So not only did I install and join Keybase, I decided to begin signing my Git commits with my PGP-key. Signed commits on GitHub gets a nice Verified badge when the key used to sign the commit matches that registered on the given user’s profile.
This increases the public’s confidence that the commit was indeed submitted by the actual person, and when this again can be verified on services like Keybase we’re almost there.
Setup commit signing
The following is a guide to setup automatic signing of commits on macOS. It even works with the GitHub Desktop app!
Install GPG Keychain from GPG Suite
Install GPG Suite, you can safely do a customized install and deselect GPGMail which you do not need.
Install Keybase and create or import a PGP key
First install Keybase, then create or import a PGP key.
Create a new key
The UI is intuitive and creating a PGP key should be easy. Remember to include the email address you also use on GitHub. This is the key you’ll use to sign your commits.
Import an existing key
An existing key can be imported using the following command:
keybase pgp pull
Import your key locally from Keybase
Visit your Keybase profile and copy the key identifier, mine is D0EF4E5CC7F16087, and use this in the following commands.
First import your public key:
keybase pgp export -q D0EF4E5CC7F16087 | gpg --import
And then import your private key:
keybase pgp export -q D0EF4E5CC7F16087 --secret | gpg --allow-secret-key-import --import
Make GitHub aware of your key
Put your GPG key on the pasteboard:
keybase pgp export -q D0EF4E5CC7F16087 | pbcopy
Open https://github.com/settings/keys, press New GPG Key and paste your key in the key textbox.
Configure Git to automatically sign your commits
Git is configured using a .gitconfig-file. We do not need to edit this file manually but can use a couple of git config commands to achieve what we want.
First, set gpg2 from the GPG Suite as your gpg.progam:
git config --global gpg.program /usr/local/MacGPG2/bin/gpg2
Then you find the ID of the key which you’ll use to sign your commits:
gpg --list-secret-keys
The item starting with sec contains the key ID you need. In the following command, replace 5FD93755 with the key ID from the previous command:
git config --global user.signingkey 5FD93755
Finally, tell Git to sign your commits:
git config --global commit.gpgsign true
From now on, every time you do a commit using the git commit command, GitHub Desktop or any other Git-app, the commit will be signed with your personal key. This key is known to GitHub which will mark your commits as Verified and anybody can look you up on Keybase to see that the commit indeed came from you.