Signing and Verifying Git Commits on the Command Line and GitHub

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey there nick jonathaqus here in this video we're going to go over signing and verifying git commits on the command line as well as go over how to modify your github account so that you get this verified badge next to your name every single time you push up a signed commit or a tag this signing process is done using a gpg keypair that's just how get signing works so you will need a gpg key pair to do this if you don't have one that's no problem i just put up a card now that goes to a video i created not too long ago about creating your own gpg key pair if you already have one then you are good to go also as an aside here if you happen to be using gitlab or bitbucket then it all works the same here they have slightly different instructions on how to link up your gpg key to your github account or gitlab or whatever but most of the stuff is all the same so let's get to it here and by the way the end game is going to be adding a couple of options to our git config file but uh let's not do that by default yet and go over how to manually sign your commits and tags because there is a subtle difference when it comes to tagging that's not going to be immediately obvious right away so for that i'm going to just screw around here in a you know an empty get repo you don't need to follow along with this stuff if you don't want to because we're going to throw away this repo at the end but if you do want to follow along no problem so let's initialize a new git repo and uh i guess we'll touch a new file first and then add that file and then commit things like usual right we can do initial commit this is stuff you've probably done a million times right and then we can do a git log and like you know there is our commit uh great cool so uh now let's go over touching the second file here and we'll add this file and we'll do a git commit just like we did before but this time we will add a dash capital s here which is going to assign the commit and then we'll put in a message here of second commit and then we can do a git log just like before and now we have two commits although on the surface these commits look pretty similar can't really tell which one is signed and which one isn't so that so for that we can actually do show signature here and here we can see all sorts of great information about the signed commit we can see it's a verified signature it's a good signature from whoever signed it in that case that's me in your case if you're using your gpg key pair then this information is going to change now you might be wondering like well what's the real value in signing a git commit and the problem with get is and it's not really a problem it's just like due to the nature of how it works like let's say i make a new file here and i add this file and i commit this file unsigned by the way and i use the author flag and i just say like well you know maybe today i'm elon mu elon musk right so i don't know his email let's just say example.com or something like that and uh know and i just say like i'm smart trust me and uh you know if we do a get log now let me clear that just so we have a full screen uh suddenly my author is elon musk so you know imagine if this is some code for something with a rocket ship right like you don't want to have me committing racket ship code that's for sure so sign commits are really nice because you can actually verify that the person creating the commit is that person and that signature validation process happens through your gpg key pair but before we get into the details about that a little bit more uh let's go over working with git tags so you know i'm sure you've done this a million times as well right you can just do get tag v1 and then you can do like it show v1 and like there's the tag that we created this is called like a lightweight tag it's really just a pointer to a specific commit there's no other information that's saved with that tag but you can also make annotated tags right you can do this and maybe put in the message of like whatever it doesn't really matter and we'll just make a new tag here that's annotated and if we do show on v2 there then suddenly we get this like metadata or you know object data about this tag right we have the tagger the date the message and you know the tag name and stuff like that we can even choose not to put in any message at all and still make an annotated tag and then you know if we do get show here on v3 then uh you know we get the same information but no message and the reason this is really important is when you create a signed tag you can't create a lightweight tag like we can like with the v1 so let's do git tag here dash s by the way is how you make a sign tag i don't know why it's lowercase instead of uppercase maybe uppercase s was already taken for tag before assign tags were a thing not really sure but let's make a v4 here so it's just not going to let us create a lightweight tag we're going to have to put in the message here and if we don't put in a message then it's going to fail and it's going to be like hey buddy you have to put in a message so we can choose to either put in a message like that or like the other one we can do m here and put in like cool like that's going to totally work we can also choose to even do an empty message like suddenly that works as well i guess there's a difference between an empty string animated tag versus like an unannotated tag i guess that's the difference between the two but if we do a get show here on the fourth one that we just messed around with here then you know we do get the pgp signature as part of uh this data here in the tag you know that's why it needs to be annotated so uh you can also verify a tag by doing a get tag on the tag itself and then you can do dash v and that will just give you you know similar output to what we saw when we did show signature with the git log right we have good signature from nick so you can verify your tag cool so that is how you can sign your commits and sign your tags but i'm sure you've already been thinking about this for now like when you do like a commit and you put in dash s it's super easy to forget to do that especially if you're not used to signing your commits because for me i have not been signing my commits for a long time i've had a gpg key pair for i don't know like six years but signing my git commits started pretty recently and uh i just don't want to have to be on the hook for typing this out all the time so lucky for us if you take a look here at your get config file and by the way i have like a dot user which is a different pattern slightly so my main git config file actually includes this file and the idea there is this user config could be ignored from version control and it has like personal information in there like about my name and email again you know the stuff is public so i don't need to like blur it out but you know my data files are are basically public on github like this you know i have a git config here but also a config user like you're meant to copy in this one and then you know modify these things on your own and copy it over to your home directory and not commit to version control but uh going back to here so uh yeah we can just basically uncomment all of these lines and things will be auto signed for both commits and tags so for the commit one just gpg signed true and for the tag one same deal but capital s and then for the signing key uh this is like well this one's important too but you know this needs to match up to your actual gpg keeper id the email address that you used when you created your gpg key so if i do gpg list keys here then it's going to be this email email address for me it's going to be different for you but you know that's the one that you want to pop in here for this sign-in key alternatively you can put in like a key id but the email address i think is just easier to read now this one is a little bit interesting because if i go back to the comments here this actually requires having get 2.23 to work otherwise if you don't have this if you have like a lesser version of get then you will need to remember to put in dash s every time you want to sign your tags you could also choose not to sign your tags as well as well that's uh no problem and by the way if you're wondering if you're running like something like ubuntu 2004 then if you do a get version you're good to go you know it's 2.25 i think yeah 2.251 so you know if you're using an older version then 2.23 then you can choose to upgrade your get version using whatever package manager that you have or just deal with like not signing your tags or again just put the dash ask yourself so that gets you going for being able to sign stuff automatically so if i jump back to here and i touch another file here and i add this one and i commit this one it's like cool it works like i hope then if i do get log here with show signature then cool it works is not actually signed what did i do wrong so let me go back to here oh look at that i forgot to save the file so let me go back to here touch a new file there we go get add this one commit uh cool it works for real this time i hope and then i'll do a get live or actually let me clear this first just so it doesn't get bumped down too far there we go cool it works for real i don't know how many times i've commit something i'm like fix ci for whatever whatever and then it's like you know 11 commits later it actually works but in any case we are good to go now right our signature is all set up nice so let's uh get going on how we can have this set up on github uh it's not too complicated thankfully so if i go back to over here and then you'll probably remember this command from the previous video about creating a gpg key pair so you can run gpg and then you can do export armor to get like a text output of this and you can put in your your id right your email address here and that is going to just dump out your public key but we don't just want to dump it out there like you could do that and copy it manually but if you're using wsl2 you can also just uh you know pipe that right into clip.exe and now it's in your clipboard if not you can just dump it out and copy it manually with the mouse or whatever or like pb copy or whatever if you're using mac os or on native linux i don't know it's like x clip command i don't know it off hand uh but in any case like your clipboard is copied or your key is copied to your clipboard also i need to zoom out a little bit now what you want to do is go to your github settings and then jump over to your ssh and gpg keys and then you can just add a new key here so what's interesting here is you know it just tells you exactly what you need to paste in right this key here i'm not going to do it because i already have it done but what i was saying before about the thing that's interesting is github is only going to let you import keys that have an email address that matches your actual account email address so that is really really really important because if i were to generate a new gpg key pair saying i'm like really elon musk or something like that and i put in like his real email or whatever then suddenly i'm getting like verified commits by him when i'm not him so github was pretty smart to do that i don't know what bitbucket or gitlab does but we are gonna go over how to actually manually validate these things on the command line so we're not dependent on github or like another get provider like being able to do this type of validation with the email matching but in any case like if you're using github then you should be good to go now right you just added your key and the next time you you know maybe you can set up like a private repo just test it out but you should see that verified badge and you're actually all good to go but now let's go over you know how to do this manual validation process because it's a little bit uh i don't want to say like hard to do but you know there's a lot of moving parts sort of kind of so notice here from the signature right like this good signature like how does it know that it's good and it knows that it's good because if we go to let me just start closing some of these things out here if i go back to here if i do tpg list keys the reason how it knows it's good is because my key is in my key ring so if you wanted to actually verify that someone who did the commit is actually like a good signature you're going to need their public key in your key ring now in that gpg key pair video that i created previously i didn't really go over the remote aspects of gpg keys so you can actually push your keys up to like a it's not a central server but like a server on the internet and uh kind of gets propagated around and then you can also pull down and search for keys from others so check this out if i do a gpg i don't run these commands often so i'm looking at some notes here yeah so like search keys if i search for this key next gen attack is it and you can actually do this on your own this is just doing a lookup on the internet for this key it should return a result pretty quickly uh did i spell anything oh it's not email okay gmail there we go and also yeah whatever let me just rerun it just so it's not getting blocked we can see that the gpg command by default is going to use this key server a key server is basically a server on the internet that uses uh you know whatever this protocol then uh yeah this is where the key is stored i don't know the low level details about how all of this works it's sort of i think kind of how dns works where it eventually gets propagated around but there's no like central source so it's not like if you use a different key server your key might not be be in there if you do a check but this sks one is very popular it's what gpg uses by default so you should totally use that one uh you know if you want to share your keys with someone or exchange them basically but yeah okay so we searched for this key we found it your key probably isn't in there yet so you may want to push it up there i'll go over that in a minute but what's really important here is this so this id uh next to the key here like you'll want to copy that to the clipboard like let's say you want to import my public key right that's what we're going to do now and then you can just delete it after i'll show you that in a second so instead of doing search keys now you can do uh receive keys and then you can paste in that key or maybe it's just receive key let me look here uh oh it's okay so it's received keys like that cool so we have this id here and you can just run it in my case like my public key is already in there but you should get probably similar output and now if you were to run gpg list keys then you're going to see your key and my key as well hopefully and there you go like you just you know downloaded or have my public key in your gpg key ring and now like if you wanted to verify that commits were actually made by me then you'd be able to you know run like a server signature like assuming that you had a you know your my commits on your disk like you know if i push them up to github and you pull them down then you'll be able to see that it's a good signature if uh this didn't match up like if someone made their own gpg key and they actually used my name and information like this then you know i don't know the exact message that would happen but it wouldn't be a good signature because it wouldn't match because you know this signature uh yeah it's related to like i guess my private key as well right but that's not pushed up anywhere but it's uh i guess when i when i push the key up that information i guess is in the publicly enough to know that like the fingerprint or whatever lines up i don't know the super details about that i don't want to fumble around it and make pretend that i do but all i know is like this is the process so in addition to you know searching for keys and receiving keys and listing keys you can also delete keys as well so you can do gpg delete keys and then you can actually just put in an email address and then that is going to delete keys and by the way uh okay so you probably won't see this one if you actually tried to delete my key because you know i don't want to delete my key that's uh my key so it actually tries to protect you from yourself thankfully where you need to use a different flag if you actually want to delete like your entire like private and public key pair but normally if you're just deleting someone else's publicly like if i had someone else's key in there then this would have worked fine but yeah there's no way i'm going to run that one because that's going to actually like really delete my private key as well you should never run that unless you really want to delete your private key but as for uploading your key to a key server you can do tpg and then you can do uh send keys there we go and in this case though you won't be able to just send up like your email address because technically your email address there could be multiple uh keys in there so before you actually run send keys sorry about that again like this is not something i do all the time there is a way for you to do list keys and you can put in a different key format so you can do key format long and then put in something like you know your email address not mine this time and uh key id format uh what did they miss oh yeah list keys dashes cool so notice how uh now there is this d2 address or id number uh this is the one that you'll want to copy right from your key and then then you'll be able to do that gpg send keys and pop that in and you are good to go so that actually just sent it over to this key server this is a very important thing to do like if you were to update the expiration date of your key then you should be sending your keys with this one command here i did not cover that in that other video about creating a gpg keypair didn't really comment come up in that video but for this one it is important um but yeah that's how you can share your keys between two people there's actually other ways as well remember that command that we ran before about uh the export command for armor and then we got our key like this right and this is from that other video where if you do this then we have the public key you can also choose to output that out right to a different file like you can just do out and then i don't know like hello that gpg.pub or whatever like well you probably should put like your name there but when you do that then uh you have this hello key here if you didn't want to use a public key server to exchange your keys you can actually just have uh whoever you want to import into your key ring give you their public key like this you can tell them hey run this command and then like email me this file or like whatever you want to do and then what you could do is you can just run gpg and then import and then you can just import their public key like that and there we go it's very similar how we ran the received keys command that imported it from the key server but now it's like a local import so that's how you can basically do this you know without requiring a central uh key server so i believe that is everything related to being able to get other people's public keys so you can verify stuff but now maybe we can go over protecting yourself a little bit from like merging in code that's unverified by accident so right now we are in this master branch here but let's say that we had i don't know like a different branch here called like feature like something like it doesn't really matter right and uh we touch another file in here and then we add it and then we commit it and then uh there we go and like if we do our usual okay i just commit my public key as well that's not a big deal at all but you know let's say that we have this feature branch like let's say that you pull down uh one of your repos from github on your machine and it includes like a pull request from someone or whatever it doesn't need to be github could be from bitbucket like whatever like they get repos on your machine at this point so what you could do at this point right is you can do a uh a checkout master and then you can do get merge and you can do verify signatures and by the way also you can do dash s here to actually sign this merge as well like instead of you know signing your commit or a tag to be honest i'm not sure if this one uh is necessary based on having the config option for commits like we have auto sign set for commits but not merges i don't know if there's a separate config option for merge if there is you may want to put it in this is not something i do a ton so i don't have it in my config file but in any case you know we can merge in our branch now which is feature something and there we go like we just we just merged it but we also verified that all uh you know verified signatures need to actually be verified and if we do a get log in here and we do show signature and then there we go we have uh that feature that we just basically merged into master it's it's all good so this will kind of protect you this command here will protect you from merging in unverified commits which could be really important if you're accepting uh work from the internet so i think that is pretty much all of it i don't know how long this video is so far almost 20 minutes but it pretty much covers everything you'll need to know at least in your day to day maybe the 90 for signing your own commits a lot of the stuff at the end is really just for verifying commits if you're like a repo owner if you really want to make sure that anyone who's contributing has actually made the commits that they have if not then really it's like a two-minute thing right you just modify your git config to have those options that we looked at before you know this one over here yeah config user right blah blah blah yeah as long as you have these then that's all you need from like a committer's perspective i hope this helps you get going for signing your commits if you like the video please like it because it helps a lot with the youtube algorithm also if you have any questions about this i'll do my best to answer them in the comments below so don't be shy about asking questions on that note thanks a lot for watching and i will see you in the next video

Info

Channel: Nick Janetakis

Views: 7,925

Rating: 4.9014778 out of 5

Keywords: Git, GitHub, GPG, Signed commits, Security

Id: 4166ExAnxmo

Channel Id: undefined

Length: 20min 23sec (1223 seconds)

Published: Tue Nov 24 2020