Skip to content

Christopher James Willcock

Enjoy Kaizen

Signing My Git Commits w/ GPG

UPDATE: I elaborated on this in my follow-up post Why Sign Git Commits?

I have my master, secret GPG key stored offline in an encrypted USB drive, but keep a signing subkey on my local machine for day-to-day use. I ensured that my GPG signing subkey was available to the git client on the host where my development work was taking place, and configured that git client to use my signing subkey.

On commit, I answer the challenge with my GPG passphrase to apply my signature to my work using my private signing subkey. Such signed commits are indicated as verified by both my-own installation of Gitea at code.cjwillcock.ca and third-parties Github, et al.

I found the article Create GnuPG key with sub-keys to sign, encrypt, authenticate by Gerhard, via Tinned Software, helpful in getting started with GPG.

I found the article Using an offline GnuPG master key by Damien Goutte-Gattat helpful in learning to remove the secret from my master key, so that I could have this offline master key while keeping the convenience of signing keys on my workstation.

Leave a Reply

Your email address will not be published. Required fields are marked *