Verifying commits with GPG in Bitbucket, GitHub and GitLab

GPG verification of commits in version control systems, has gradually been enabled in all of the three major open source code community services, namely (in alphabetical order) Bitbucket, GitHub, and GitLab.

GitHub was the first, adding it to their platform in May 2016, while Bitbucket followed in June 2017, and GitLab in October 2017.

How then to setup the GPG keys with each of these services:

It should be noted that sadly the Bitbucket running at bitbucket.org does not support this at the moment.

For more background on the topic, Mike Gerwitz wrote “A Git Horror Story: Repository Integrity With Signed Commits”, which goes though in detail why would the commit signing and verification be needed.

The following dense set of commands assumes that there is no existing GPG keys, the required tools such as GnuPG have been installed, and the generated key will be used globally for Git and Mercurial. More information about the different commands and options of the gpg tool are available at their documentation.

Generate a key, which will ask for name, email, and password for the key:

gpg --generate-key

List all keys:

gpg --list-secret-keys --keyid-format LONG

The <key identification hash> used later on, can be found on the sec line from the output of the above command, after the first forward slash.

The full public GPG key, which then needs to be added in the GitHub or GitLab profile settings, can be retrieved with the command:

gpg --armor --export <key identification hash>

Setting up Git to use globally that given GPG key, whenever signing manually:

git config --global user.signingkey <key identification hash>

More about it at Git Book.

To use it only in one Git repository at a time, the following commands will enable it always:

git config user.signingkey <key identification hash>
git config commit.gpgsign true

While using Mercurial, there is the GPG Extension that should be enabled first, either in users home directory via ~/.hgrc or mercurial.ini, or then per project, in the .hg/hgrc file:

[extensions]
hgext.gpg =

[gpg]
key = <key identification hash>

Anyone going back and forth between Git and Mercurial, might be interested if the hg-git conversion extension could also handle GPG signing. At the moment it does not, and there is a feature request for it.

Windows users might need more tuning in their environment, and luckily there are instructions elsewhere.