Sunday, November 30, 2014

Git Commit with GPG Key

Preface

Creating a commit in Git is easy, it can be done by "git commit", and the author (name and email) is set by a parameter of this commit or by reading the setting from "~/.gitconfig"

Method 1: set the author in command parameter

$ git commit -am "bug fixed" --author="Author Name <email@address.com>"

Method 2: reading the user setting

$ git config --global user.name "Heron Yang"
$ git config --global user.email heron@heron.me
However, there's no way to guarantee the author is the person with right permission. So GPG is introduced here.

GPG Design Explain

It's also applying public-private key pair design like ssh-keygen. Normally, the author generates a pair of keys, which are public key and private key. It's okay for him to share out the public key, and that allows the other people to create encrypted content for this author by using the public key. However, no one can decrypt the content unless he or she has the private key.
So, by sharing the public and holding the private key on your machine allows the user to be recognised and certificated.

Git Command with GPG Key

Therefore, if we want to create a Git commit with certification, we should make Git work with GPG. Here's the steps (one should install GPG before starts):

A. Generate key pair

$ gpg --gen-key #few questions will pop up, lease your name/email/passphrase, and pick default for others

B. List generated keys

$ gpg --list-keys # list your keys
pub   2048R/xxxxxxxx 2014-11-30
uid       [ultimate] Heron Yang (genrate gpg) <heron.yang.tw@gmail.com>
sub   2048R/yyyyyyyy 2014-11-30
$ gpg --list-secret-keys # list private keys
...

C. Add your GPG into Git Config

Put your xxxxxxxx into Git configuration by doing:
$ git config --global user.signingkey xxxxxxxx

D. Commit and See if it works

Commit like this way:
$ git commit -S
Check log:
$ git log --show-signature
commit 252aa0dd0643d86df16b93b509a6a15b95xxxxxx
gpg: Signature made Sun Nov 30 13:52:57 2014 CST using RSA key ID xxxxxxxxgpg: Good signature from "Heron Yang (genrate gpg) <heron.yang.tw@gmail.com>" [ultimate]
Author: Heron Yang <heron.yang.tw@gmail.com>
Date:   Sun Nov 30 13:52:51 2014 +0800
    test gpg

Reference