This article shows how to setup and sign git commits on Windows for Github. Most of this is already documented on the Github docs, but I ran into trouble when using this with git Extensions on a windows host. My commits could not be signed until I set the home system variable on the windows host.

Install gpg on Windows

To sign git commits, you can download the windows gpg4win and install it. Git should already be installed. No extra features are required.

Generate a key on Windows

The Windows cmd line is used to generate a new gpg key. I have a safe host PC and do not require a passphrase. Other than this, I just used the default settings to generate a new gpg key.

Note: The requested email needs to match the email used on your Github account.

gpg --full-generate-key

Github docs: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key

The pub key can be used to export the pub key and upload it to the Github account.

Use Git Extensions and apply the signing per repo

I would like to use this key for a single repository. I have multiple user accounts for multiple systems and each have different git requirements. For one Github repository, I would like to sign all commits. I generated the key in the global user profile but only use the key on this repository.

In the git bash window from the repository, if you want to sign the commits, the following commands can be executed. I open the bash through git extensions. If you already have the key id from the creating of it, you can skip step 3.

git config commit.gpgsign true

git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"

gpg --list-secret-keys --keyid-format=long

git config user.signingkey <your key>

Signing key not found

If the signing key is not found on windows, it is probably because the application is looking in the wrong location for the gpg key. To validate this, open the git bash from the repository and find the Home: value. This must match the value in the windows command line.

gpg --version

Find the value for Home:

Now open and the value in the windows cmd and check that it matches the git bash console. If it does not match, take the window cmd Home: value and add this to the system variables.

Add an environment variable called GNUPGHOME with the value found in the gpg --version cmd

Now the commit should be signed. Next step is to setup Github to use this key.

Add the gpg key to your Github account

The gpg key can be attached to the Github account. The docs explain this good.

Github docs: https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account

gpg --list-secret-keys

gpg -a --export <your-pub-key>

Display the verified commits on Github: https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits

When you commit and push, Github should display a verified status

You can now require that all commits are verified for a repository

Links

https://www.gnupg.org

https://www.gpg4win.org/

https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key

https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address