# Commit Signature Verification with GPG keys on GitHub

By [Farhad](https://paragraph.com/@asgarovf) · 2024-03-15

---

Most of our time is spent on GitHub as developers and we keep contributing to various projects - both open and closed source. There are dozens of GitHub automations are happening in some repositories, sometimes releasing new public versions for applications and libraries. However, we might be having a malicious code injected to the codebase with an unauthorized access to our computers. Signing commits help us preventing impersonation attacks where someone might try to make unauthorized changes to the repository under your name, verifying that the commit is coming from a trusted authority. In this article, we are going to have a look at signing commits with GPG keys and show the required steps to take.

Example Scenario
----------------

Before starting let’s have a look at the different scenario for [Ledger Connect Kit hack](https://www.ledger.com/blog/security-incident-report) that happened recently. We know that the hack happened due to unauthorized access to npmjs registry of a repository. To understand the big picture and what happened that day let’s have a look at to the unauthorized access to the npmjs by the attacker.

![Source: ledger.com](https://storage.googleapis.com/papyrus_images/6b7153c56bfec0343fefad7ae296d85c4afae9841262a7b9f9e81338e550bc07.png)

Source: ledger.com

However, in an alternative scenario, this attack could also happen in the GitHub level (described below), which might also lead to the publish of malicious code for public usage.

![](https://storage.googleapis.com/papyrus_images/e4ea4b2ec3a40fd897f51120b8a995005941ffe04752b5c07dabee3479ea49e1.png)

Especially the front-end codes are quite open to these types of attacks. We all use cloud services, such as [Vercel](https://vercel.com/), to deploy our front-end services. Vercel’s automation for easy deployment is really helpful to ship web services immediately. However, it is important to control the access to the git repository to make sure that the automation will not result with an accident.

Signing Commits with GPG Keys
-----------------------------

SSH and GPG keys are widely used to sign commits in GitHub. The advantage of GPG Keys is that these keys are managed using a more robust and flexible key management system compared to SSH keys. GPG supports features such as key expiration and revocation which enhance security.

Let’s take a look at the steps to create, register and use the GPG Keys in GitHub. I will show the example in macOS environment, which should also work for Ubuntu and other Linux distributions.

### Creating a GPG Key

1 - Firstly you need to install required packages to create GPG Keys on your computer. For macOS you can basically use `brew` to install some packages:

2 - After installing the required packages, you can start the creation process:

First, run the following command in your terminal. It will ask you some questions about your GPG key.

    gpg --full-generate-key
    

*   For the first question, GitHub supports `RSA`, `ElGamal`, `DSA`, `ECDH`, `ECDSA` and `EdDSA` algorithms. We will continue with `RSA` which is probably the most popular.
    
*   For the second question we will choose 4096 bit size for keys, which is considered very secure for most applications.
    
*   For the third question, you can choose the required validity time for your key. The recommended option is to keep key validity as short as possible. However, it will require you to update the keys in each expiration. I will choose `1y` (1 year) for this example, but you are free to lower the duration based on your needs.
    
*   Then you will enter your personal information for the GPG key. Make sure that your entered email matches with your GitHub email.
    
*   Finally, it will ask you a passphrase to protect your GPG Key. You should choose a secure password to protect it.
    

  
3 - After creating your GPG Key, run the following command to list your keys with their IDs.

    gpg --list-secret-keys --keyid-format=long
    

You will see output similar to example below:

    sec  rsa4096/5BF8B141D9B03F0A 2024-03-07 [SC] [expires: 2025-03-07]
                                                  YOUR LONG KEY ID HERE
    

4 - Copy the `KEY ID` from the output and run the following command to export your public key block. You should copy the output that starts with `-----BEGIN PGP PUBLIC KEY BLOCK----` and ends with `-----END PGP PUBLIC KEY BLOCK----`

    gpg --armor --export YOUR_KEY_ID_HERE
    

5 - Go to GitHub → Settings → SSH and GPG Keys. Then press the `New GPG key` button

![Creating new GPG Key in Github](https://storage.googleapis.com/papyrus_images/228ed61d8cf753cf76e29c88bf321c8bb842b97f99c05d1065493c172d15d921.png)

Creating new GPG Key in Github

6 - Paste your copied GPG Public Key block to the textbox and give a title to identify it. Then press `Add GPG Key` button to save your changes. You will see that the GPG key is added to your GitHub account.

7 - Finally, you need to configure the local `git` settings to sign the commits. Go to the repository path in your computer and run the following commands:

    git config --local commit.gpgsign true
    git config --local user.signingkey YOUR_KEY_ID_HERE
    

8 - This step is mostly required on macOS. Run `export GPG_TTY=$(tty)` to allow password prompt (You can add this line to your `~/.zshrc` file to make sure that you don’t enter it on every computer restart).

9 - Now, you are good to go! You can try making a commit, and it will ask you the passphrase of created GPG Key. You will see the output like below with `Verified` label.

![Commit Example with Verified Label](https://storage.googleapis.com/papyrus_images/d988954c25125efc61794400287864e7a6ea23355e40f70cba90fafa1d19b8cf.png)

Commit Example with Verified Label

Enforcing Verified Commits in GitHub Repositories
-------------------------------------------------

You are free to enforce commit signature verification on your repositories, to make sure that all contributions are coming from a trusted authority. To do this, you need to enable the following option from `Branch Settings` of your GitHub repository.

![Enforcing signed commits in GitHub repository](https://storage.googleapis.com/papyrus_images/b9308cb1040d32e814da96f5833c8880b74c23583d70836a941303e3a79d240a.png)

Enforcing signed commits in GitHub repository

Further reading
---------------

If you are more interested in the Commit Signature Verification in GitHub, feel free to check the official GitHub documentation.

[https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)

---

*Originally published on [Farhad](https://paragraph.com/@asgarovf/commit-signature-verification-with-gpg-keys-on-github)*