Securing git commits from tricking you on Windows


Did you know that by default you can check in code as anyone in your git repository? All you need to do is run git config.username = {username} and git config.email={email}and you can trick git into thinking you are someone else. For a better understanding of what kinds of problems this can create, go and read Mike Gerwitz’s article, A Git Horror Story. Luckily, Git allows you to resolve this issue pretty easily – by letting you sign commits using GPG(GNU Privacy Guard).

The GitHub help article Signing commits using GPG is a pretty good guide on how to set it up. But, it requires you to use the git bash console. So, what do you do if like me you are on a Windows machine and would prefer to use a GUI? Don’t fear this guide will tell you what you need to know.

Using Gpg4win with Git needs a little bit of configuration so let’s start configuring it.


Setup Kleopatra

    1. Download Gpg4win and install it using the installer.
    2. Go to the Start menu and start Kleopatra
    3. Click on File -> New Key Pair

      Kleopatra

      Kleopatra

    4. Click on Create a Personal OpenPGP key pair

      Key Pair Creation

      Key Pair Creation

    5. Enter details and click next.

      Enter details

      Enter details

    6. Review and Create the key. This will show a popup asking you to enter a passphrase to protect the key.
    7. Enter a passphrase and click Ok

      Enter Paraphrase

      Enter Passphrase

    8. At this point, the key pair should be created. Click on Finish.
      You can create a backup of the key and save it somewhere safe.

      Key pair Created

      Key pair Created

    9. You should now see the key in Kleopatra

      Key in Kleopatra

      Key in Kleopatra

    10. Keep a note of the Key-ID. We will need it in a minute.
      This is D1E4471 in the screenshot above
    11. Double click the key to see the certificate details

      Key Details

      Key Details

    12. Click on export and copy the public gpg key.
      Make sure you copy everything including -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK-----

      PGP public key

      PGP public key


Configure Git to Sign Commits

  1. Update the global git config to use the signing key.
    Remember the Key-ID from above – You will need it here.

    1. Enter git config user.signingkey D1E4471 in your git console
      If you want to set it on a global level, use git config --global user.signingkey D1E4471instead
  2. Instruct git to sign every commit automatically.
    1. Enter git config commit.gpgsign true in your git console
      If you want to set it on a global level, use git config --global commit.gpgsign trueinstead.
  3. Instruct git to sign every tag automatically.
    1. Enter git config tag.gpgsign true in your git console
      If you want to set it on a global level, use git config --global tag.gpgsign trueinstead
  4. Tell git use the gpg4win version of gpg.exe
    1. Enter git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe" in your git console.
      You might need to tweak the location of the program if you installed it in a custom location

To check that it works, commit some code to a repository which has been set up to use signing. You should be prompted for the passphrase you entered earlier.

Enter Passphrase

Enter Passphrase


Configure Kleopatra to cache the passphrase for a longer time

    1. Run Kleopatra. Click on Settings -> Configure Kleopatra
    2. On the configure page click on GnuPG System -> Private Keys and scroll down to the Options controlling the security section.
      1. Set the cache time.
        86400 seconds is equal to 1 day.

        Configure Kleopatra

        Configure Kleopatra


Configure Github to show verified commits

  1. Follow the steps at Adding a new GPG key to your GitHub account so that Github can show the verified commits.
    Use the public gpg key that you had copied earlier.

To check if it works, push the signed commit. You should see the Verified tag in the commit history on github.

The commit should have a verified tag which you can click to see additional details

Verified Commits

Verified Commits


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.