Skip to main content

Telling Git about your signing key

To sign commits locally, you need to inform Git that there's a GPG, SSH, or X.509 key you'd like to use.

Telling Git about your GPG key

If you're using a GPG key that matches your committer identity and your verified email address associated with your account on GitHub AE, then you can begin signing commits and signing tags.

If you don't have a GPG key that matches your committer identity, you need to associate an email with an existing key. For more information, see "Associating an email with your GPG key".

If you have multiple GPG keys, you need to tell Git which one to use.

  1. 打开终端终端Git Bash

  2. 使用 gpg --list-secret-keys --keyid-format=long 命令列出你拥有其公钥和私钥的长形式 GPG 密钥。 签名提交或标记需要私钥。

    Shell
    $ gpg --list-secret-keys --keyid-format=long

    注意:Linux 上的某些 GPG 安装可能需要改用 gpg2 --list-keys --keyid-format LONG 查看现有密钥的列表。 在这种情况下,还需要通过运行 git config --global gpg.program gpg2 来配置 Git 以使用 gpg2

  3. 从 GPG 密钥列表中复制您想要使用的 GPG 密钥 ID 的长形式。 在本例中,GPG 密钥 ID 为 3AA5C34371567BD2

    Shell
    $ gpg --list-secret-keys --keyid-format=long
    /Users/hubot/.gnupg/secring.gpg
    ------------------------------------
    sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
    uid                          Hubot <hubot@example.com>
    ssb   4096R/42B317FD4BA89E7A 2016-03-10
  4. 若要在 Git 中设置 GPG 签名主键,请粘贴下面的文本,替换要使用的 GPG 主键 ID。 在本例中,GPG 密钥 ID 为 3AA5C34371567BD2

    $ git config --global user.signingkey 3AA5C34371567BD2

    或者,在设置子项时包含 ! 后缀。 在本例中,GPG 子键 ID 为 4BB6D45482678BE3

    $ git config --global user.signingkey 4BB6D45482678BE3!
  5. If you aren't using the GPG suite, run the following command in the zsh shell to add the GPG key to your .zshrc file, if it exists, or your .zprofile file:

    $ if [ -r ~/.zshrc ]; then echo 'export GPG_TTY=$(tty)' >> ~/.zshrc; \
      else echo 'export GPG_TTY=$(tty)' >> ~/.zprofile; fi

    Alternatively, if you use the bash shell, run this command:

    $ if [ -r ~/.bash_profile ]; then echo 'export GPG_TTY=$(tty)' >> ~/.bash_profile; \
      else echo 'export GPG_TTY=$(tty)' >> ~/.profile; fi
  6. Optionally, to prompt you to enter a PIN or passphrase when required, install pinentry-mac. For example, using Homebrew:

    $ brew install pinentry-mac
    $ echo "pinentry-program $(which pinentry-mac)" >> ~/.gnupg/gpg-agent.conf
    $ killall gpg-agent

Telling Git about your GPG key

If you're using a GPG key that matches your committer identity and your verified email address associated with your account on GitHub AE, then you can begin signing commits and signing tags.

If you don't have a GPG key that matches your committer identity, you need to associate an email with an existing key. For more information, see "Associating an email with your GPG key".

If you have multiple GPG keys, you need to tell Git which one to use.

  1. 打开终端终端Git Bash

  2. 使用 gpg --list-secret-keys --keyid-format=long 命令列出你拥有其公钥和私钥的长形式 GPG 密钥。 签名提交或标记需要私钥。

    Shell
    $ gpg --list-secret-keys --keyid-format=long

    注意:Linux 上的某些 GPG 安装可能需要改用 gpg2 --list-keys --keyid-format LONG 查看现有密钥的列表。 在这种情况下,还需要通过运行 git config --global gpg.program gpg2 来配置 Git 以使用 gpg2

  3. 从 GPG 密钥列表中复制您想要使用的 GPG 密钥 ID 的长形式。 在本例中,GPG 密钥 ID 为 3AA5C34371567BD2

    Shell
    $ gpg --list-secret-keys --keyid-format=long
    /Users/hubot/.gnupg/secring.gpg
    ------------------------------------
    sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
    uid                          Hubot <hubot@example.com>
    ssb   4096R/42B317FD4BA89E7A 2016-03-10
  4. 若要在 Git 中设置 GPG 签名主键,请粘贴下面的文本,替换要使用的 GPG 主键 ID。 在本例中,GPG 密钥 ID 为 3AA5C34371567BD2

    $ git config --global user.signingkey 3AA5C34371567BD2

    或者,在设置子项时包含 ! 后缀。 在本例中,GPG 子键 ID 为 4BB6D45482678BE3

    $ git config --global user.signingkey 4BB6D45482678BE3!

Telling Git about your GPG key

If you're using a GPG key that matches your committer identity and your verified email address associated with your account on GitHub AE, then you can begin signing commits and signing tags.

If you don't have a GPG key that matches your committer identity, you need to associate an email with an existing key. For more information, see "Associating an email with your GPG key".

If you have multiple GPG keys, you need to tell Git which one to use.

  1. 打开终端终端Git Bash

  2. 使用 gpg --list-secret-keys --keyid-format=long 命令列出你拥有其公钥和私钥的长形式 GPG 密钥。 签名提交或标记需要私钥。

    Shell
    $ gpg --list-secret-keys --keyid-format=long

    注意:Linux 上的某些 GPG 安装可能需要改用 gpg2 --list-keys --keyid-format LONG 查看现有密钥的列表。 在这种情况下,还需要通过运行 git config --global gpg.program gpg2 来配置 Git 以使用 gpg2

  3. 从 GPG 密钥列表中复制您想要使用的 GPG 密钥 ID 的长形式。 在本例中,GPG 密钥 ID 为 3AA5C34371567BD2

    Shell
    $ gpg --list-secret-keys --keyid-format=long
    /Users/hubot/.gnupg/secring.gpg
    ------------------------------------
    sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
    uid                          Hubot <hubot@example.com>
    ssb   4096R/42B317FD4BA89E7A 2016-03-10
  4. 若要在 Git 中设置 GPG 签名主键,请粘贴下面的文本,替换要使用的 GPG 主键 ID。 在本例中,GPG 密钥 ID 为 3AA5C34371567BD2

    $ git config --global user.signingkey 3AA5C34371567BD2

    或者,在设置子项时包含 ! 后缀。 在本例中,GPG 子键 ID 为 4BB6D45482678BE3

    $ git config --global user.signingkey 4BB6D45482678BE3!
  5. To add your GPG key to your .bashrc startup file, run the following command:

    $ [ -f ~/.bashrc ] && echo 'export GPG_TTY=$(tty)' >> ~/.bashrc
    

Telling Git about your SSH key

You can use an existing SSH key to sign commits and tags, or generate a new one specifically for signing. For more information, see "Generating a new SSH key and adding it to the ssh-agent."

Note: SSH signature verification is available in Git 2.34 or later. To update your version of Git, see the Git website.

  1. 打开终端终端Git Bash

  2. Configure Git to use SSH to sign commits and tags:

    $ git config --global gpg.format ssh
    
  3. Copy the SSH public key to your clipboard.

    If your SSH public key file has a different name than the example code, modify the filename to match your current setup. When copying your key, don't add any newlines or whitespace.

    $ pbcopy < ~/.ssh/id_rsa.pub
      # Copies the contents of the id_rsa.pub file to your clipboard

    Tip: If pbcopy isn't working, you can locate the hidden .ssh folder, open the file in your favorite text editor, and copy it to your clipboard.

    $ clip < ~/.ssh/id_rsa.pub
      # Copies the contents of the id_rsa.pub file to your clipboard

    Tip: If clip isn't working, you can locate the hidden .ssh folder, open the file in your favorite text editor, and copy it to your clipboard.

    $ cat ~/.ssh/id_rsa.pub
      # Then select and copy the contents of the id_rsa.pub file
      # displayed in the terminal to your clipboard

    Tip: Alternatively, you can locate the hidden .ssh folder, open the file in your favorite text editor, and copy it to your clipboard.

  4. 若要在 Git 中设置 SSH 签名密钥,请粘贴下面的文本,替换要使用的密钥的剪贴板内容。 由于密钥包含空格,因此必须用引号将它括起:

    $ git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com'
    

将您的 X.509 密钥告知 Git

可通过 S/MIME 而不是 GPG 使用 smimesign 对提交和标记进行签名。

注意:S/MIME 签名验证可用于 Git 2.19 或更高版本。 若要更新 Git 版本,请参阅 Git 网站。

  1. 安装 smimesign
  2. 打开终端终端Git Bash
  3. 配置 Git 使用 S/MIME 对提交和标记签名。 在 Git 2.19 或更高版本中,使用 git config gpg.x509.programgit config gpg.format 命令:
  • 要使用 S/MIME 对所有仓库签名:
    $ git config --global gpg.x509.program smimesign
    $ git config --global gpg.format x509
  • 要使用 S/MIME 对单一仓库签名:
    $ cd /path/to/my/repository
    $ git config --local gpg.x509.program smimesign
    $ git config --local gpg.format x509
    在 Git 2.18 或更低版本中,使用 git config gpg.program 命令:
  • 要使用 S/MIME 对所有仓库签名:
    $ git config --global gpg.program smimesign
  • 要使用 S/MIME 对单一仓库签名:
    $ cd /path/to/my/repository
    $ git config --local gpg.program smimesign
    如果您使用的是与提交者身份匹配的 X.509 密钥,您可以开始对提交和标记签名。
  1. 如果你使用的不是与提交者标识匹配的 X.509 密钥,则使用 smimesign --list-keys 命令列出你有其证书和私钥的 X.509 密钥。
    $ smimesign --list-keys
  2. 从 X.509 密钥列表中复制您想要使用的 X.509 密钥的证书 ID。 在本示例中,客户端 ID 为 0ff455a2708394633e4bb2f88002e3cd80cbd76f
    $ smimesign --list-keys
                 ID: 0ff455a2708394633e4bb2f88002e3cd80cbd76f
                S/N: a2dfa7e8c9c4d1616f1009c988bb70f
          Algorithm: SHA256-RSA
           Validity: 2017-11-22 00:00:00 +0000 UTC - 2020-11-22 12:00:00 +0000 UTC
             Issuer: CN=DigiCert SHA2 Assured ID CA,OU=www.digicert.com,O=DigiCert Inc,C=US
            Subject: CN=Octocat,O=GitHub\, Inc.,L=San Francisco,ST=California,C=US
             Emails: octocat@github.com
  3. 要在 Git 中设置您的 X.509 签名密钥,请粘贴下面的文本,替换之前复制的证书 ID 。
  • 要使用 X.509 密钥注册所有仓库:
    $ git config --global user.signingkey 0ff455a2708394633e4bb2f88002e3cd80cbd76f
  • 要使用 X.509 密钥注册单一仓库:
    $ cd /path/to/my/repository
    $ git config --local user.signingkey 0ff455a2708394633e4bb2f88002e3cd80cbd76f

Further reading