Whilst most developers use hosted git repositories on a service like GitHub, many forget that almost none of these commits are verified. If you own a repository, you can “fake” a commit from literally any user if you know their email. If that email matches a GitHub account, their avatar will be displayed next to their name! One famous example is a fake commit by Linus Torvalds:
An effortless way to protect against this is with git verified signatures. This proves that a commit was really from the person. GitKraken introduced this feature a week ago, and it seems to work perfectly. This tutorial will provide a very simple guide to getting verified commits configured.
Note that GitKraken also has a very in-depth guide with lots of extra information.
Next follow the installer’s steps, deselecting GPGOL (Outlook email signing) and GPGEX (Right-click signing).
GPG is now installed!
Under GitKraken’s GPG Preferences (File -> Preferences -> GPG Preferences), browse for your newly installed GPG program. By default, this is at
C:\Program Files (x86)\GnuPG\bin\gpg.exe.
Now that GitKraken knows about GPG, you can press “Generate”, with an optional passphrase.
After a few seconds, you will now have a GPG signing key! The “Signing Key” field of GitKraken’s GPG Preferences screen is now populated with your new key.
Make sure to tick both the “Sign Commits by Default” and “Sign Tags by Default” checkboxes, so all future actions are signed. You should end up with a preferences screen like this:
Your GitKraken is now configured to use commit verification! Time to sort out GitHub…
- Click “Copy GPG Public Key” in the GitKraken GPG Preferences screen. This will copy your public key to your clipboard, ready to give to GitHub.
- Go to GitHub’s “Add new GPG key” screen.
- Paste in your public key from step 1, and press “Add GPG key”.
- You may need to reconfirm your password, then it’s been added
Try making a commit, you should now see a green icon next to your commit hash in GitKraken. You can mouseover it for more information about your signed commit:
When you push this commit, GitHub will also reflect your verified commit status:
Your future commits are now all verified!
Considering how popular GitKraken is becoming (it’s my personal client of choice), being able to implement commit signing so easily provides yet another reason to switchover. Going forward, I fully intend to verify all my commits, with no extra effort beyond the original setup!