Skip to main content

✍️ Signed commits

At Bytsolv, we ensure codebase integrity and security, especially in client projects with multiple team access. Using signed commits prevents impersonation and ensures accountability by verifying contributor identity and maintaining a trustworthy history of changes. Adhering to signed commits demonstrates our commitment to high security standards, transparent collaboration, and delivering quality service, read more

1. Signing commits with GPG Key​

GPG keys encrypt and sign data, providing a unique digital signature to verify commit authorship. This ensures only the private key holder can authenticate contributions, offering robust security and preventing tampering or impersonation in client projects read more.

Installing the CLI tool​

Generating key pair using gpg​

  • to generate your key pair:

    gpg --full-gen-key

  • use the RSA and RSA as the algorithm your key should use

  • set the key length as 4096 recommended by Gitlab

  • choose the validity

  • enter your name, and gitlab/code.byt.so verified email address

  • provide a passphrase

  • gpg key will be generated

  • List out the private gpg key:

    gpg --list-secret-keys --keyid-format LONG <EMAIL>

  • in the output, identify the sec line, and copy the GPG key ID. It begins after the / character eg: A2E0405D4001A99A.

  • to show the associated public key, run this command, replacing <ID> with the GPG key ID from the previous step

    gpg --armor --export <ID>

  • copy the public key, including the BEGIN PGP PUBLIC KEY BLOCK and END PGP PUBLIC KEY BLOCK lines. You need this key in the next step.

Add a GPG key to your account​

  • Sign in to the code vault
  • On the left sidebar, select your avatar.
  • Select Edit profile.
  • Select GPG Keys.
  • Select Add new key.
  • In Key, paste your public key.
  • To add the key to your account, select Add key. GitLab shows the key’s fingerprint, email address, and creation date.
note

While working with client owned repositories, make sure to add the GPG keys to their respective git provider's accounts as well

for example, github, gitlab, bitbucket

Associate your GPG key with Git​

After you create your GPG key and add it to your account, you must configure Git on your local machine to use this key:

  • If you have previously configured Git to use a different key format when signing with --gpg-sign, unset this configuration so the default format of openpgp will be used.

    git config --global --unset gpg.format

  • Run this command to configure Git to sign your commits with your key, replacing KEY ID with your GPG key ID:

    git config --global user.signingkey <KEY ID>

Sign your Git commits​

After you add your public key to your account, you can sign individual commits manually, or configure Git to default to signed commits:

  • Sign individual Git commits manually:
    • Add -S flag to any commit you want to sign: 
      git commit -S -m "My commit message"
    • Enter the passphrase of your GPG key when asked.
    • Push to GitLab and check that your commits are verified.
  • Sign all Git commits by default by running this command: 
    git config --global commit.gpgsign true

Troubleshooting​

  • gpg failed to sign the data

If your GPG key is password protected and you receive the error:

error: gpg failed to sign the data
fatal: failed to write commit object

If the password entry prompt does not appear, add export GPG_TTY=$(tty) to your shell’s rc file (commonly ~/.bashrc or ~/.zshrc) and restart your bash.

2. Signing commits with SSH Key​

SSH keys are cryptographic keys used for secure authentication, commonly for accessing servers. They can also sign commits, ensuring commit authenticity and integrity. SSH keys are simple to set up and manage, especially for developers already using them for repository access, providing strong, familiar security read more.

Generate SSH Keypair​

  • run the below command to generate an RSA 2048-bit key

    ssh-keygen -t rsa -b 2048 -C "<comment>"

  • enter the passphrase and filename

  • tell git to use ssh for signing commits

    git config --global gpg.format ssh

  • Specify which public SSH key to use as the signing key and change the filename (~/.ssh/examplekey.pub) to the location of your key. The filename might differ, depending on how you generated your key:

    git config --global user.signingkey ~/.ssh/examplekey.pub

Add a SSH key to your account​

  • Sign in to the code vault
  • On the left sidebar, select your avatar.
  • Select Edit profile.
  • Select SSH Keys.
  • Select Add new key.
  • In Key, paste your public key.
  • To add the key to your account, select Add key.
note

While working with client owned repositories, make sure to add the SSH keys to their respective git provider's accounts as well

for example, github, gitlab, bitbucket

Sign your Git commits​

After you add your public key to your account, you can sign individual commits manually, or configure Git to default to signed commits:

  • Sign individual Git commits manually:
    • Add -S flag to any commit you want to sign: 
      git commit -S -m "My commit message"
    • Enter the passphrase of your GPG key when asked.
    • Push to GitLab and check that your commits are verified.
  • Sign all Git commits by default by running this command: 
    git config --global commit.gpgsign true

References​