Skip to content

GNU Privacy Guard (GPG)

What is GPG in GitHub?

GPG (GNU Privacy Guard) in the context of GitHub is used for signing commits and tags to verify the authenticity of a contributor’s identity. It ensures that commits and tags have not been tampered with and were created by the stated author.

Why Use GPG for GitHub?

  1. Verify Authorship – Ensures that commits were made by the actual user, preventing impersonation.
  2. Security & Trust – Protects against unauthorized commits in repositories.
  3. Compliance – Helps organizations meet security and compliance requirements.
  4. Commit Integrity – Guarantees that commits have not been altered after signing.

How GPG Works with GitHub

  1. Generate a GPG Key – Create a personal cryptographic key pair (public & private key).
  2. Add the GPG Key to GitHub – Register your public key with your GitHub account.
  3. Sign Your Commits – Use the private key to sign commits and tags.
  4. GitHub Verifies Signatures – GitHub checks the commit signature and marks it as “Verified” if it matches your registered GPG key.

How to Set Up GPG for GitHub (Step-by-Step)

1. Install GPG

  • Windows: Install Gpg4winDownload
  • Mac: Install GPGToolsbrew install gnupg
  • Linux: Install via package manager → sudo apt install gnupg (Debian/Ubuntu)

2. Generate a GPG Key

Run the following command:

gpg --full-generate-key
  • Choose: RSA and RSA (default)
  • Key size: 4096 bits
  • Expiration: Never (or choose a time frame)
  • Enter your name and GitHub email address
  • Set a secure passphrase

3. Get Your GPG Key ID

List your keys:

gpg --list-secret-keys --keyid-format=long

Find the key ID (16-character hex code):

sec   rsa4096/3AA5C34371567BD2 2024-01-01 [SC]

Your GPG key ID is: 3AA5C34371567BD2

4. Get Your Public Key

Run:

gpg --armor --export 3AA5C34371567BD2

Copy the output (starts with -----BEGIN PGP PUBLIC KEY BLOCK-----).

5. Add GPG Key to GitHub

  • Go to GitHub → Settings → SSH and GPG Keys.
  • Click New GPG Key, paste the key, and save.

6. Configure Git to Use GPG

Tell Git to sign commits with your key:

git config --global user.signingkey 3AA5C34371567BD2
git config --global commit.gpgsign true

(Optional) Enable GPG for all repositories:

git config --global tag.gpgsign true

7. Sign a Commit

git commit -S -m "My first signed commit"

If prompted, enter your GPG passphrase.

8. Verify the Signature on GitHub

  • Push your commit to GitHub (git push).
  • On GitHub, the commit will show "Verified" with a green checkmark if properly signed.

Troubleshooting

  • If GPG signing fails, try:
export GPG_TTY=$(tty)
  • If GitHub shows “Unverified”, ensure:
    • The email in your GPG key matches your GitHub email.
    • The key is correctly added to GitHub.

Conclusion

Using GPG signing in GitHub enhances security, trust, and integrity in commits and tags. It prevents commit forgery, ensuring that only authorized users contribute verified changes.