GPG verification of commits in version control systems, has gradually been enabled in all of the three major open source code community services, namely (in alphabetical order) Bitbucket, GitHub, and GitLab.
How then to setup the GPG keys with each of these services:
It should be noted that sadly the Bitbucket running at
bitbucket.org does not support this at the moment.
For more background on the topic, Mike Gerwitz wrote "A Git Horror Story: Repository Integrity With Signed Commits", which goes though in detail why would the commit signing and verification be needed.
The following dense set of commands assumes that there is no existing GPG keys, the required tools such as GnuPG have been installed, and the generated key will be used globally for Git and Mercurial. More information about the different commands and options of the
gpg tool are available at their documentation.
Generate a key, which will ask for name, email, and password for the key:
List all keys:
gpg --list-secret-keys --keyid-format LONG
<key identification hash> used later on, can be found on the
sec line from the output of the above command, after the first forward slash.
The full public GPG key, which then needs to be added in the GitHub or GitLab profile settings, can be retrieved with the command:
gpg --armor --export <key identification hash>
Setting up Git to use globally that given GPG key, whenever signing manually:
git config --global user.signingkey <key identification hash>
To use it only in one Git repository at a time, the following commands will enable it always:
git config user.signingkey <key identification hash> git config commit.gpgsign true
While using Mercurial, there is the GPG Extension that should be enabled first, either in users home directory via
mercurial.ini, or then per project, in the
[extensions] hgext.gpg = [gpg] key = <key identification hash>
Anyone going back and forth between Git and Mercurial, might be interested if the
hg-git conversion extension could also handle GPG signing. At the moment it does not, and there is a feature request for it.
Windows users might need more tuning in their environment, and luckily there are instructions elsewhere.