⏱reading time: 5 min

Only some commits were “verified”

I’ve been committing on Git a lot lately and I’ve been uploading those commits to GitHub. At the same time, I’ve been doing some changes in the repository directly on GitHub and I noticed that the commits that I’ve done in GitHub itself were verified, but the ones that I was uploading from my computer were not. So, I decided to investigated how to “verify” the commits I upload from my computer. Turns out, that GitHub –and I suppose the rest of the online repositories– and Git are able to sign with a PGP key the commits you make to verify your identity against other people. It’s a way to be sure you, and only you, are the one that are committing, thus responsible for the things are doing.

If you what to set up the PGP signing is pretty easy in principle, but could have some caveats. To be honest, I struggled with it on the beginning and every time I committed after I set if up in the beginning I got the following message:

Verified Signature in GitHub

You can check the knowledge base that GitHub has about the topic here. However, I found that some of the topics are perhaps a little bit outdated and doesn’t give you clear directions about how you can really do it. I also checked this sources to get my solution post:

How I’ve done it

First of all, you need to install GPG (GNU PGP)  –if you don’t already have it–, the gpg agent , and probably you are going to need to install pinentry  for mac. I’ve installed all of them using homebrew.

Now, you need to created a PGP key runnnig the command:

You can do it also with:

However, if you do like the latter command is not going to give you the option to change the key size, as suggested by GitHub.

Answer all the prompted questions and be specially careful with your email since GitHub is going to recognize you by your verify email. You can also create a comment to identify the key e.g. GitHut Key. Finally create a passphrase that you can remember, or note down in a password manager.

Now, you can have to list all your keys with the command:

You have to copy to your clipboard <YOUR_LONG_KEY_ID> , with is your key id, and paste in the following commands to configure you Git with your key.

You can certainly not pass the command

$ git config --global commit.gpgsign true

that configures your Git to always sign your commits with your signature and sign just certain commits with adding the flag -S  to the git commit  command. It’s an option that some people for security matters and to not be prompted every time you commit to enter your passphrase. However, as you can are going to see latter, you can keep your passphrase in your keychain using pinentry .

You also need to copy your long key id again to get your PGP key with the following command.

Which print you full GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK-----  and ending with -----END PGP PUBLIC KEY BLOCK----- . Copy it and now you can paste it on your GitHub following this instructions.

Now, to make it work you need to config pinentry for mac as your dialog to enter your passphrase. To do that you have to use the following command to write pinentry-program /usr/local/bin/pinentry-mac in gpg agent config file.

You can also do it manually.

Finally, you need to restart the gpg agent  doing the following. This is really important and it’s was one of the reason because I took me so long to finally configure Git with the PGP. Since I haven’t restarted the gpg-agent it hasn’t pick up the configuration.

It’s done!

I recommend you to test it doing a test commit. First time it should to prompt you with a dialog like this

pinentry prompt

Where, if you tick save in keychain , it isn’t going to prompt you again.

Note that if you want to sign commits outside of the shell, not all the apps can sign commits. With my setup I’ve tried Tower and GitHub Desktop and they are able to sign without any problem. Keep  in mind that I’ve committed first in the shell and then I’ve clicked save in keychain  so I don’t know how is going to behave the first time you commit and you haven’t ticked that option or if it’s the first time you sign a commit. In case you had problems with Tower, there are a couple of tutorials out there including Tower:

Enjoy your Git!

Note: I’ve follow this setup in Mac OS X El Capitan 10.11.6 and with Git 2.15.

One thought on “Installing PGP signing for Git on macOS

Leave a Reply