30 Oct 2017 » GPG Git Signing with Jetbrains IDEs
Tags:

Git has a great feature to prevent fraudulent commits, especially in public repositories. You can signed a commit with a PGP compatible tool (GnuPG is probably the most common). This is great when you’re using the command line tools, just do a git commit -s and you’re good to go.

GPG Git Signing with Jetbrains IDEs

30 Oct 2017

Git has a great feature to prevent fraudulent commits, especially in public repositories. You can signed a commit with a PGP compatible tool (GnuPG is probably the most common). This is great when you’re using the command line tools, just do a git commit -s and you’re good to go.

If you’re like a lareg number of developers, you’re using an IDE of some sort for your heavy coding days. I’m a particular fan of the various Jetbrains IDEs: PyCharm, WebStorm, RubyMine, etc. There’s a pretty full featured git integration available for all of these and while I still use the command line somewhat often, it’s nice to be able to hit ⌘k and commit from the IDE. There’s currently no option to sign a particular commit from the IDE (there’s Sign-Off but that just adds a line to the commit message). However, you can set things up to sign all of your commits, but there are a couple of gotchas. Here’s a quick walkthrough of the process.

  • Install GnuPG. Ok, this is more of a pre-requisite, so it’s up to you to do this one your own.

  • Create a key for signing. There are lots of tutorials on this process, so again, left as an exercise for the reader. Note your key ID, you can get it with:

> gpg --list-secret-keys --keyid-format LONG
...
ssb   rsa2048/0F40BD647EFF33D6 2017-10-12 [S] [expires: 2021-10-12]

That 0F40BD647EFF33D6 is your key ID.

  • Configure git to allow signing. Use git --global --add commit.gpgsign true, etc. to configure the following, with your values substituted.
> git config --global --list
user.name=Trevor R.H. Clarke
user.email=tclarke@ball.com
user.signingkey=0F40BD647EFF33D6
commit.gpgsign=true
  • Configure GnuPG to use a graphical agent to prompt for passwords. This goes in your ~/.gnupg/pgp.conf file which probably lives in a slightly different location on Windows.
no-tty
use-agent
  • Commit a change in your IDE. I always select the Sign-Off option as well. You should be prompted for your GnuPG password. Once you’ve committed, you can double check that it worked with the command line. This example shows a commit without a signature and one with a signature.
> git log --show-signature -1 -2
commit 54c9c211cb478c91d2ecf8e11a31ceaccb7ea179
gpg: Signature made Mon Oct 30 14:39:21 2017 EDT
gpg:                using RSA key F7B6A5FC5C46CAC13B221E920F40BD647EFF33D6
gpg: Good signature from "Trevor R.H. Clarke (Computer Science House default) <retrev@csh.rit.edu>" [ultimate]
gpg:                 aka "Trevor R.H. Clarke <trevor@notcows.com>" [ultimate]
gpg:                 aka "Trevor R.H. Clarke <tclarke@ball.com>" [ultimate]
gpg:                 aka "Trevor R.H. Clarke <pythonpimp@gmail.com>" [ultimate]
Author: Trevor R.H. Clarke <tclarke@ball.com>
Date:   Mon Oct 30 14:39:21 2017 -0400

    Working minus orientation.
    
    Signed-off-by: Trevor R.H. Clarke <tclarke@ball.com>

commit 611d5aa25d0326a8db68715036232d3a5bfd5615
Author: Trevor R.H. Clarke <tclarke@ball.com>
Date:   Fri Oct 27 12:23:44 2017 -0400

    Added Rakefile and restructure dir structure

Contact

candy.cable.dome
Built with Jekyll
Source for this site available on github
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.