Commit Signing with GPG
IMPORTANT
If your projects are in IL4 and IL5, you must sign commits with your CAC instead.
Store your GPG private key in a secure place. It should be treated like a password.
Party Bus Does not support using IDE's for code signing. You are free to do so, but If you cannot sign commits in your IDE, please do not open a ticket with the PartyBus help desk. You will need to fix your issue or use the command line to sign commits that you create in your IDE.
Summary
Developers who don't have a Common Access Card (CAC) can sign their commits using a Gnu Privacy Guard (GPG) key. To learn how to sign commits using a CAC, follow this guide: HowTo - GitLab - Commit Signing with CAC.
Step-by-Step Guide
MAC
Install GPG (with Homebrew).
brew `install` gpgWARNING
In step 2, when generating the GPG key, be sure to use gpg --full-gen-key In step 3, when selecting the algorithm, choose RSA and RSA
Windows
- Install GPG for windows here: Gpg4win - Get Gpg4win. a. It will ask you to donate, just click 0 and then download it.
- Open up windows environment variable settings. a. Under "user variables," click "new" and add the path to the gpg.exe file.
b. Under "system variables," find the path entry and double click it. c. Click on "new" and paste the path previously used. - Open up a command terminal. a. Type
gpg --list-keysto check if you have any gpg keys already created.
b. If you already have a key created, assign it to git using git config --global user.signingkey 1234567890(i.e., instead of these numbers, use the serial number of your signing key). - Create a GPG key. a. With GnuPG already installed, in your command terminal, type
gpg --full-gen-key. b. Enter the information the same way it is in the console screenshots below (i.e., change your name and email address to match your information).
c. Once you enter "O" to save it, it will ask you to enter a passphrase. Enter the passphrase of your choice so that it can generate a random key. d. Once the key is generated, follow step 3 to assign the key to git.NOTE
The
user.emailGit variable must be set. To set it, execute:git config --global user.email < GitLab email >
After a GPG key has been generated, added to a user's GitLab account, and assocated with Git, the below commands may be used to sign commits.
# Manually sign specific commits:
git commit -S -m "My commit message"
# Or configure Git to sign all commits:
git config --global commit.gpgsign trueVSCode Integration (for Mac)
Inside VSCode, open Settings (cmd+ or Preferences->Settings). a. Find
Git: Enable Commit Signingand enable it. (i.e., quickly find the setting by searching for gpg.)VSCode must also be configured to prompt the user for a key password. Follow the commands below.
bashbrew install pinentry-mac: echo "pinentry-program $(which pinentry-mac)" >> ~/.gnupg/gpg-agent.conf killall gpg-agentThe user will be prompted to enter the key password on their next commit inside of VSCode.
Common Errors
General Troubleshooting
While debugging, commits may be traced using GIT_TRACE=1.
INFO
EXAMPLE:GIT_TRACE=1 git commit -S -m "test commit"
Commit "Unverified" in GitLab
Make sure the user.email Git variable has been set. To set it, execute: git config --global user.email < GitLab email >.
Error: GPG failed to sign the data fatal: failed to write commit object
Refer to this this Stack Overflow entry for additional error details and suggested solutions.
To resolve, complete the following:
Execute
echo "test" | gpg --clear sign. If the result is this:
- Execute
export GPG_TTY=$(tty). - Execute
echo "test" | gpg --clear signagain. The result should be something like this:
- If the result is this:
bashgpg: signing failed: Timeout gpg: [stdin]: clear-sign failed: Timeoutrestart the
gpg-agentand then retry the command again.bashgpgconf --kill gpg-agent- Execute
Could not find identity matching specified user-id
If you recieve a message on commit similar to this error:
could not find identity matching specified user-id: XXXXXXXXXX
error: gpg failed to sign the data
fatal: failed to write commit objectIt could be caused by a conflicting gpg.format settings in the git config.
- First, check to see if
gpg.formatis set:git config --get gpg.format. - If it is set, try to unset it:
git config --unset gpg.formatand double check to ensure it was actually unset. - If the
cli --unsetcommand didn't unset it, open up your~/.gitconfigand manually delete thegpg.formatand/or the format line under [gpg] . Rungit config --get gpg.formatto ensure it was actually removed. - Try the commit again.