Signing Git Commits with GPG on Windows

in #security7 years ago

gpg-yubikey-git.png

Easy on Linux, hard on Windows?

Well, actually not at all. I just came across this very nice post which basically explains it all. However, since I like things short and to the point, I'm going to shorten it down even more.

By the way: If you think 'Why would I want to sign my commits??', read this. It is outdated, but still gives you a good idea of what could possibly happen if you don't.

Prerequisites

Finding your fingerprint

The first thing you need is to know the full fingerprint of the key you want to use for signing your commits. While it is theoretically possible to tell git simply the shortened key-id, which is usually 8 characters long, this is a bad idea. For quite some time now it has been possible to create two keys with matching 8-character-ids.

Capture.PNG
Right-click on the key you wish to use and select 'Certificate Details'.

Capture2.PNG
Copy the fingerprint.

Configure git

If you installed git for Windows with default settings, you should be able to open a Linux-style command line by simply right-clicking on your desktop (or anywhere in the file explorer) and selecting 'Git Bash'.

Capture3.PNG

There is only one setting you need to change for this to work, that is the command below. Make sure the path to your GnuPG installation is correct.

git config --global gpg.program "c:/Program Files (x86)/GNU/GnuPG/gpg2.exe"
git config --global user.signingkey <FINGERPRINT>

From this point on you will be able to git commit -S -m "...".

If you want git to automatically sign every commit without the need to specify the -S parameter every time, you can additionally do this (which I highly recommend):

git config --global commit.gpgsign true

Changing your name on commits

The name git uses to specify how has made this signature can be controlled. If you do not set any global parameters in git, this name and email-address will be whatever is associated to the selected key in Kleopatra.