A Quick Guide to Signing Your Git Commits

Steve Scargall
How to
February 4, 2020

It is important to sign Git commits for your source code to avoid the code being compromised and to confirm to the repository gatekeeper that you are who you say you are. Signing guarantees that my code is my work, it is my copyright and nobody else can fake it. This guide provides the necessary steps to creating private & public keys so you can sign your Git commits.

On Linux or Mac, if you have setup a development environment then you have all the necessary tools for signing.

1. Show the current configuration

You can use either of the following to display the configuration:

git config --list
git config -l

or look at your ~/.gitconfig file. The local configuration will be in your repository’s .git/config file.

Use:

git config --list --show-origin

to see where that setting is defined (global, user, repo, etc…).

Alternatively, you can filter the results, using --global, --local, and --system:

git config --list --global
git config --list --local
git config --list --system

To edit a configuration, use:

git config --global --edit
git config --local --edit
git config --system --edit

This will drop you into your default editor where you can add, remove, or make changes to entries.

2. Set your name and email address

If you haven’t already configured your name and email address within Git, use the following to make changes to the local Git project:

git config user.name 'Steve Scargall'
git config user.email '[email protected]'

If you want to make the changes apply across all Git projects, use:

git config --global user.name 'Steve Scargall'
git config --global user.email '[email protected]'

3. Generate a GPG key pair

Use the following gpg command to interactively create the public/private key pair:

gpg --full-generate-key

Use the maximum key size available, likely 4096, and ensure the key does not expire. You’ll be prompted with several questions shown below:

$ gpg --full-generate-key
gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Steve Scargall
Email address: [email protected]
Comment: GitHub
You selected this USER-ID:
    "Steve Scargall (GitHub) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

[...key is generated and displayed here...]

4. List your key(s)

To make sure your GPG key pair is created, run following command and verify output.

gpg --list-secret-keys --keyid-format LONG

You will see something similar to this:

$ gpg --list-secret-keys --keyid-format LONG
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/root/.gnupg/pubring.kbx
------------------------
sec   rsa4096/3AC5D24571557BB1 2020-02-04 [SC]
      21BB8B2D82228D9CC0049A193AC5D24571557BB1
uid                 [ultimate] Steve Scargall (GitHub) <[email protected]>
ssb   rsa4096/9FB9DAD85D7623D6 2020-02-04 [E]

Copy the key ID from the output. The key ID in the above example is 3AC5D24571557BB1 or you can use 21BB8B2D82228D9CC0049A193AC5D24571557BB1.

5. Add the key to GitHub

Display your public key on the terminal:

gpg --armor --export 3AC5D24571557BB1

It will display the GPG key including both header and footer text, something like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----
KEY_CONTENT....
-----END PGP PUBLIC KEY BLOCK-----

Launch GitHub in a web browser.

Navigate to Settings > SSH and GPG keys .

Click the green button to add New GPG Key .

Copy and paste the public key from the gpg --armor --export 3AC5D24571557BB1 command and click the green ‘Add GPG key’ button.

6. Configure the GPG program in Git

To sign your git commits, you will need to specify a GPG program. Try following commands

// on Windows
$ git config --global gpg.program "/c/Program Files (x86)/GnuPG/bin/gpg.exe"

// on Linux or Mac
$ which gpg
/usr/local/bin/gpg
$ git config --global gpg.program "/usr/local/bin/gpg"

7. Configure Git to auto-sign every commit

To specify a key for auto-sign commits in a single repository, execute these commands:

git config user.signingkey 3AC5D24571557BB1 
git config commit.gpgsign true

If you want to use this GPG key ID for all Git repositories use the --global option.

git config --global user.signingkey 3AC5D24571557BB1 
git config --global commit.gpgsign true

If you do not want to auto-sign every commit, you do not have to run the above commands. Instead, you can sign individual commits using (-S) and add a “Signed-off-by” signature with (-s):

git commit -s -S -m "your commit message"

8. Disable TTY for GPG

To avoid the following error:

$ git commit -m "My Message"
error: gpg failed to sign the data
fatal: failed to write commit object

I found that I had to disable TTY for gpg using:

echo 'no-tty' >> ~/.gnupg/gpg.conf

I also found the following helped:

export GPG_TTY=$(tty)

So I added an entry in my /etc/environment to apply the change to all users.

For more troubleshooting ideas, check this StackOverflow thread.

Summary

This blog post showed you how to create a public/private key pair using gpg then upload your key to GitHub, and finally how to manually or automatically sign git commits.

Tags:

How to Confirm Virtual to Physical Memory Mappings for PMem and FSDAX Files

Are you curious whether your application’s memory-mapped files are really using Intel Optane Persistent Memory (PMem), Compute Express Link (CXL) Non-Volatile Memory Modules (NV-CMM), or another DAX-enabled persistent memory device? Want to understand how virtual memory maps onto physical, non-volatile regions? Let’s use easily adaptable scripts in both Python and C to confirm this on your Linux system, definitively.

Why Does This Matter?

With the advent of persistent memory and DAX (Direct Access) filesystems, applications can memory-map files directly onto PMem, bypassing the traditional DRAM page cache. This promises significant performance and durability improvements for data-intensive workloads and databases, such as SQLite, Redis, and others.

My Journey Building a 3MF Native Rust Library from Scratch

For the past few years, I’ve been getting more and more into 3D printing as a hobbyist. Like everyone, I started with one, a Bambu Lab X1 Carbon, which has now grown to three printers. I find the hobby fascinating as it entangles software, firmware, hardware, physics, and materials science.

As a software engineer, I’m naturally drawn to the software side of things (Slicer and Firmware). But what interests me most, is how the software interacts with the hardware and the materials. How the slicer translates the 3D model into instructions for the printer (G-Code). How the printer executes those instructions. How the materials behave under the printer’s control.

Programming Persistent Memory: A Comprehensive Guide for Developers Book

After many months of hard work by everyone involved, I’m very pleased to announce that the book “Programming Persistent Memory: A Comprehensive Guide for Developers” is now available for download in digital PDF & ePUB formats from https://pmem.io/book , and Kindle & paperback through Amazon .

Beginner and experienced programmers will use this comprehensive guide to persistent memory programming. You will understand how persistent memory brings together several new software/hardware requirements, and offers great promise for better performance and faster application startup times―a huge leap forward in byte-addressable capacity compared with current DRAM offerings.
This revolutionary new technology gives applications significant performance and capacity improvements over existing technologies. It requires a new way of thinking and developing, which makes this highly disruptive to the IT/computing industry. The full spectrum of industry sectors that will benefit from this technology include, but are not limited to, in-memory and traditional databases, AI, analytics, HPC, virtualization, and big data.
Programming Persistent Memory describes the technology and why it is exciting the industry. It covers the operating system and hardware requirements as well as how to create development environments using emulated or real persistent memory hardware. The book explains fundamental concepts; provides an introduction to persistent memory programming APIs for C, C++, JavaScript, and other languages; discusses RMDA with persistent memory; reviews security features; and presents many examples. Source code and examples that you can run on your own systems are included.
What You’ll Learn
- Understand what persistent memory is, what it does, and the value it brings to the industry
- Become familiar with the operating system and hardware requirements to use persistent memory
- Know the fundamentals of persistent memory programming: why it is different from current programming methods, and what developers need to keep in mind when programming for persistence
- Look at persistent memory application development by example using the Persistent Memory Development Kit (PMDK)
- Design and optimize data structures for persistent memory
- Study how real-world applications are modified to leverage persistent memory
- Utilize the tools available for persistent memory programming, application performance profiling, and debugging
Who This Book Is For
C, C++, Java, and Python developers, but will also be useful to software, cloud, and hardware architects across a broad spectrum of sectors, including cloud service providers, independent software vendors, high performance compute, artificial intelligence, data analytics, big data, etc.
Read More