This article shows how to setup and sign git commits on Windows for Github. Most of this is already documented on the Github docs, but I ran into trouble when using this with git Extensions on a windows host. My commits could not be signed until I set the home system variable on the windows host.
Install gpg on Windows
To sign git commits, you can download the windows gpg4win and install it. Git should already be installed. No extra features are required.
Generate a key on Windows
The Windows cmd line is used to generate a new gpg key. I have a safe host PC and do not require a passphrase. Other than this, I just used the default settings to generate a new gpg key.
Note: The requested email needs to match the email used on your Github account.
gpg --full-generate-key
Github docs: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
The pub key can be used to export the pub key and upload it to the Github account.
Use Git Extensions and apply the signing per repo
I would like to use this key for a single repository. I have multiple user accounts for multiple systems and each have different git requirements. For one Github repository, I would like to sign all commits. I generated the key in the global user profile but only use the key on this repository.
In the git bash window from the repository, if you want to sign the commits, the following commands can be executed. I open the bash through git extensions. If you already have the key id from the creating of it, you can skip step 3.
git config commit.gpgsign true
git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"
gpg --list-secret-keys --keyid-format=long
git config user.signingkey <your key>
Signing key not found
If the signing key is not found on windows, it is probably because the application is looking in the wrong location for the gpg key. To validate this, open the git bash from the repository and find the Home: value. This must match the value in the windows command line.
gpg --version
Find the value for Home:
Now open and the value in the windows cmd and check that it matches the git bash console. If it does not match, take the window cmd Home: value and add this to the system variables.
Add an environment variable called GNUPGHOME
with the value found in the gpg --version
cmd
Now the commit should be signed. Next step is to setup Github to use this key.
Add the gpg key to your Github account
The gpg key can be attached to the Github account. The docs explain this good.
gpg --list-secret-keys
gpg -a --export <your-pub-key>
Display the verified commits on Github: https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits
When you commit and push, Github should display a verified status
You can now require that all commits are verified for a repository
[…] Signing git commits on Windows and using with Github (Damien Bowden) […]
[…] Signing git commits on Windows and using with Github – Damien Bowden […]
I’ve switched to using 1Password for this, it prompts me for the 1Password passphrase when I try to either sign commits or communicate with GitHub.
https://developer.1password.com/docs/ssh/git-commit-signing/
Thanks for the link