How to Set Up GPG Key for Signed Git Commits: A Step-by-Step Guide

When working with Git, especially on public repositories like GitHub, signing your commits with a GPG key ensures authenticity and trust. Here’s a comprehensive guide to help you generate and configure a GPG key for signing your Git commits.

Step 1: Generate a GPG Key

Open Git Bash:
- Launch Git Bash from your applications.
Generate a GPG Key:

In Git Bash, run:

   gpg --full-generate-key

Choose Key Type:
- Select the type of key you want to generate. Go with the default option: (9) ECC (sign and encrypt) *default*

Choose option 9 for ECC (Elliptic Curve Cryptography).

Select Elliptic Curve:
- When asked to select an elliptic curve, choose the default: (1) Curve 25519 *default*

Pick 1 for Curve 25519.

Set Key Expiry Date:
- You will need to set an expiration date for your key. To create a key with no expiration, enter 0 and press Enter.

Confirm Key Details:
- Confirm your choices by typing y and pressing Enter.
Enter User Information:
- Provide your name, email address, and an optional comment. For example:
```
 Real name: Your Name  
 Email address: example@gmail.com  
 Comment: My GPG Key  
```

Press Enter after each input.

Final Confirmation:
- Type o to confirm the details and press Enter.

Set Passphrase:
- Passphrase Prompt: A popup will appear asking you to enter a passphrase.
  - 9.1: Do not enter anything; just click **OK.
  - 9.2: Another popup will appear. Click **Yes when it asks about protection (protection is not needed).
  - 9.3: The first popup will reappear. Repeat the process (this is just a confirmation process, so don’t worry).

Step 2: Locate Your GPG Key

List Secret Keys: To list your GPG keys, run:

   gpg --list-secret-keys --keyid-format=long

Identify Key ID:
- Look for the line starting with sec that contains your key ID. It will look like:
```
 sec   4096R/12345678 2024-09-15 [expires: 2025-09-15]
```

Copy the key ID (the portion after 4096R/, e.g., 12345678).

Update Git Configuration:
- Open the .gitconfig file, typically found at C:\Users\<username>\.gitconfig, in a text editor like Notepad.
- Add the following line under the [user] section:
```
 [user]
   signingkey = 12345678
```

Save and Exit:
- Save the changes and close the text editor.

Step 3: Export Your Public Key

Export Public Key: Run the following command to export your public key:

   gpg --armor --export

Copy Public Key:

Copy everything between and including the lines:

 -----BEGIN PGP PUBLIC KEY BLOCK-----
 ...
 -----END PGP PUBLIC KEY BLOCK-----

Step 4: Add Your GPG Key to GitHub

Log in to GitHub:

Open GitHub in your browser and log in to your account.
Navigate to SSH and GPG Keys:
- Click on your profile picture, go to Settings, and find SSH and GPG keys in the sidebar.
Add New GPG Key:
- Click New GPG Key.
Paste and Save Key:
- Paste the public key you copied earlier and click Add GPG Key.

Authenticate:
- Enter your GitHub password if prompted to complete the process.

Step 5: Enable Commit Signing in Git

Configure Git: To enable commit signing, run:

   git config --global commit.gpgsign true

Verify Configuration: Ensure commit signing is enabled by running:

   git config --global --get commit.gpgsign

It should return true.

Step 6: Test Signing Your Commits

Create a Test Repository: If you don’t have a test repository, create one with:

   git init test-repo
   cd test-repo

Make a Test Commit: Add a file and make a commit:

   echo "Test file" > test.txt
   git add test.txt
   git commit -m "Test commit"

Verify Signed Commit: To verify that your commit is signed, run:

   git log --show-signature

You should see something like gpg: Signature made and gpg: Good signature.

By following these steps, you can securely sign your Git commits, ensuring that your work is authenticated and trusted. If you encounter any issues or have questions, feel free to reach out!

Getting Verified On GitHub!