Over the course of 3 years studying Computer Science, I have made
heavy use of Bash and Git. Just last semester, I took a course called
Introduction to Cryptography where I learned about secure systems,
cryptographic schemes, authentication, abstract algebra, and more.
I was introduced to GnuPG as a program that abstracts away all
but the most essential details of encryption, and I was very impressed
with the capabilities and power that GnuPG provides to the user.
Let’s say you are interested in signing your Git commits. There is much
more that can be signed, but signing Git commits can be automated once
set up, and offers some additional assurance to others that you, yourself
are the author of some commits.
I will start off by making sure GPG and Git
are installed on Bash for Ubuntu WSL.
For sanity’s sake, I will print out the version of gpg and bash that I am using
To generate a key, type
I select 1 for RSA, because it’s my favorite and I have implemented
I select 4096 bits for the maximum amount possible of security, at the
cost of added time to decrpyt and encrypt, although 2048 bits is
still perfectly valid on 8/21/2018.
I hit enter to select “key does not expire,” although, one could
choose to have the key become invalid (untrusted) in a certain amount of time.
If you choose to have the key expire in a certain amount of time,
then you will need to tell git about the new key when used to automatically
commits and/or tags, which we will talk about later in this post.
You will next fill in your real name, email address, and an optional comment.
The next prompt will be for a passphrase AKA a password to access the key.
Keep in mind that if your key falls into the wrong hands, the passphrase
is the only defense against impersonation, but if you have a passphrase,
you will need to type it in at each commit if you automatically sign commits.
I didn’t make a passphrase because I trust that my computer is secure,
and that no one else is able to access it.
Next, GPG will generate pseudo-random bytes to generate a
pair of keys.
Boom! You now have generated a pair of keys that can authenticate
yourself to others, as well as encrypt communications that are sent to you.
Now that you have a public and private key, you can sign commits. To sign
commits, you will need to specify the key you are using, as well
as to automatically sign commits as they are made.
Next time you make a commit, Git will try to sign the commit, and will
tell if you if there was an issue with signing the commit.
You might be interested in hosting your projects on Github, so there
is a way to get that niced “Verified” checkmark next to your commits,
and that is by telling Github what your public key is, so Github
can verify the signature on your commits.
You can do this by heading over to https://github.com/settings/profile and
clicking on SSH and GPG keys. There, you can click on “add GPG key,”
and there will be a box to paste the ASCII representation of your public key.
You need to paste that huge chunk of text into the textbox given on
Github, and then if everything works out, you can start
signing commits and getting the nice looking “Verified” stamps
in your commit history.