Commit Signing with gpg in GitKraken Client (2024)

What is Commit Signing?

In Git, you may commit using any name and email address. However, Git supports signing commits and annotated tags using a GPG or SSH key pair.

By signing a commit, other users with your public key can verify the commit was created by the owner of that key. Users can also share their public key with their remote hosting service, such as GitHub, so that commits appear as verified on their website.

Commit Signing with GPG

Requirements

Before you start signing your commits, you will first need to install and configure GPG. Our recommendations to get GPG installed quickly are below.

Note: If you have GitKraken Desktop open, we recommend closing the application before installing GPG.

• Windows: Gpg4win, simply follow the installer.

• Mac: We recommend downloading GPG on Mac through Brew. Once you have brew, simply run brew install gpg.

• Linux: Install gpg through your distribution’s package manager.

  • Debian/Ubuntu: apt install gnupg
  • Fedora: dnf install gnupg2
  • CentOS/RHEL: yum install gnupg2

All GPG download files can be found here.

Once you have installed GPG to your machine, you can verify it is installed and check the version by opening your terminal and running gpg --version.

Note: You may need to replace `gpg` with `gpg2` if you installed GPG2 without an alias. If you have both gpg and gpg2, you will need to prefix with gpg2 if you wish to use the latter.

Generating a GPG Key In GitKraken

If you have GPG installed on your local machine, you will be able to generate a GPG key pair from within GitKraken Desktop.

Under Preferences → GPG Preferences, there is an option to Generate new GPG Key. If you wish to enter a passphrase, make sure you do so prior to selecting Generate.

Configure GPG in GitKraken

Once you have GPG installed on your machine, you will need to configure GitKraken to use GPG. Launch GitKraken Desktop and navigate to Preferences → GPG Preferences.

• Signing Key: This dropdown list will contain all of your local keys. Select the key you wish GitKraken Desktop to use when signing your commits and annotated tags. If this list is blank you can try the following troubleshoots:

  • You may need to configure the GPG Program setting first.
  • If you installed GPG while GitKraken Desktop was open, you may need to fully close GitKraken Desktop and re-launch it.

• GPG Program: This is the location of where GPG is installed on your local machine. If GPG is on your path, GitKraken Desktop should automatically detect the GPG program. However, it is possible to have multiple installations of GPG so you can specify which one GitKraken Desktop should point to by using the button.

If you do not know where GPG is installed on your local machine, launch a terminal and enter: which gpg for Mac & Linux. On Windows, use: where gpg

• Sign Commits by Default: Enabling this checkbox will have GitKraken Desktop sign any commit you create going forward.

• Sign Tags by Default: Enabling this checkbox will have GitKraken Desktop sign any annotated tags you create going forward.

• Generate new GPG Key: GitKraken Desktop will generate a new GPG key for you, see Generating a GPG Key In GitKraken.

Verifying a Local Commit is Signed

You can verify a commit has been signed by selecting a commit and viewing the commit panel. An icon will appear to the left of the commit SHA on signed commits only.

If you hover over the badge, you will see a tooltip which displays the Signature details.

Below is a list of possible signature codes and what they mean:

• GOODSIG — The signature with the keyid is good.
• EXPSIG — The signature with the keyid is good, but the signature is expired.
• EXPKEYSIG — The signature with the keyid is good, but the signature was made by an expired key.
• REVKEYSIG — The signature with the keyid is good, but the signature was made by a revoked key.
• BADSIG — The signature with the keyid has not been verified.
• ERRSIG — It was not possible to check the signature. This may be caused by a missing public key or an unsupported algorithm.

Uploading Your GPG Key to a Remote Hosting Service

To upload your GPG public key to your remote hosting service, we recommend viewing the documentation for the respective hosting service:

• GitHub
• GitLab
• Only Bitbucket ServerBitbucket

To copy your GPG public key in GitKraken Desktop, navigate to Preferences → GPG Preferences and below your Signing Key, select Copy GPG Public Key.

Editing Your GPG Key

Editing your gpg key is helpful when you wish to add another email address to a key or renew an expired key. To edit a GPG key, navigate to your terminal and enter gpg --list-secret-keys --keyid-format LONG. This command will output a list of your GPG keys, take note of the ID of the key you wish to edit.

Now that you have the key ID, you can edit the key. To do so enter gpg --edit-key FFFFFF where FFFFFF is your key ID. You will then enter an editing session with your GPG key. After you update your key, execute a save to record changes and quit editing the key.

Below is a list of useful commands to edit your key:

• adduid– Add a new user ID to the GPG key
• deluid – Delete a user ID from the GPG key
• trust – Change the owner trust value. This updates the trust database immediately and no save is required.
• expire – Change a key expiration time
• save – Save all changes to the current key and quit
• quit – Quit without updating the current key

For a complete list you can review GNU’s documentation.

Make sure to upload the updated key on your hosting service once you have saved. See Uploading Your GPG Key to a Remote Hosting Service.

Deleting your GPG Key

You can delete your key via terminal with the command gpg --delete-secret-keys simply append your username or key ID.

There will be several prompts to make sure that you really want to delete your GPG key:

Commit Signing with SSH

Commit Signing with SSH is available in GitKraken Desktop through Git Executable feature.

Requirements

• MacOS and Linux: Git and OpenSSH should be pre-installed. To check if are installed, open a terminal and run
  git -v
ssh -V
• Windows: Install Git Bash

Create SSH Key

Open a Terminal and run this command:

ssh-keygen -t ed25519 -C "[emailprotected]"

Enable Git Executable feature

Go to Preferences > Experimental > Git Executable and enable it.

Select SSH as your GPG format for signing

See this documentation to select the program used for the signing format

At Preferences > GPG > GPG Format, select SSH.

Automatically GitKraken Desktop will change your preferences in .gitconfig and populate GPG SSH Program with ssh-keygen.

Select the signing key

See this documentation to select the signing key

On Signing key, click on Browse and select the .pub key file previously generated.

Create allowed_signers file

This file is needed to verify the key used to sign the commits is valid and known by git.

See this documentation to create the allowed_signers file

On your terminal, run:

touch ~/.ssh/allowed_signersecho "$(git config --get user.email) namespaces="git" $(cat ~/.ssh/<MY_KEY>.pub)" >> ~/.ssh/allowed_signers

And select the file in GitKraken Desktop.

Enable Commit Signing by Default in GitKraken Desktop:

Preferences > GPG > Sign Commits/Tags By default

Add the SSH key to your remote hosting

• GitHub
• GitLab
• Commit Signing verification is not supported on Bitbucket.org