github commit使用gpg

github ,

概览:

起因

偶尔在GitHub看到有些某些贡献者提交代码时,在github网站显示commit信息时,会显示Verified。发现是使用了gpg。

https://docs.github.com/en/github/authenticating-to-github/about-commit-signature-verification

安装gpg

首先是安装和查看gpg版本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ brew install gpg
$ gpg --version
gpg (GnuPG) 2.3.1
libgcrypt 1.9.3
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/mardan/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

创建gpg key

https://docs.github.com/en/github/authenticating-to-github/generating-a-new-gpg-key

  • 查看已存在的keys
1
gpg --list-secret-keys --keyid-format LONG

如果需要生成新的keys

1
gpg --full-generate-key
  • RSA and RSA
  • 4096
  • key does not expire
  • 其他的信息自己看着填写

例如生成了以下keys

1
2
3
4
pub   rsa4096 2021-04-24 [SC]
      B7B19D02FB5A82A14C50677797C0CDDADFC43DAC
uid                      mardan (github) <xxxxxxxx@outlook.com>
sub   rsa4096 2021-04-24 [E]

导出公钥

1
2
3
# 可以写完整的pub id,
# 或者通过查看已有的keys里的like: sec   rsa4096/97C0CDDADFC43DAC 2021-04-24 [SC]
gpg --armor --export 97C0CDDADFC43DAC

将导出的公钥写入到github设置的gpg里面。

git使用gpg进行签名

https://docs.github.com/en/github/authenticating-to-github/telling-git-about-your-signing-key

1
git config --global user.signingkey 97C0CDDADFC43DAC

并将这个export GPG_TTY=$(tty)添加到.bashrc或者.zshrc,不然commit时无法进行签名,需要输入生成keys时的密码。

然后签名提交,看看效果

开启全局签名

不开启全局签名,就需要每次在提交时加上-S参数。像git commit -S -m "this is cool code"

1
git config --global commit.gpgsign true

Mardan MDevOps Engineer

Hi there, I’m Mardan(ka1i).