Skip to main content

Configuring web commit signing

You can enable auto-signing of commits made in the web interface of GitHub Enterprise Server.

Who can use this feature

Site administrators can configure web commit signing for your GitHub Enterprise Server instance.

About web commit signing

If you enable web commit signing, GitHub Enterprise Server will automatically use GPG to sign commits users make on the web interface of your GitHub Enterprise Server instance. Commits signed by GitHub Enterprise Server will have a verified status. For more information, see "About commit signature verification."

You can enable web commit signing, rotate the private key used for web commit signing, and disable web commit signing.

Enabling web commit signing

  1. In the administrative shell, create a PGP key. Make note of the email address and key ID.

    Shell
    gpg --full-generate-key --pinentry-mode=loopback
    • Use the default key type and at least 4096 bits with no expiry.
    • Use web-flow as the username. If web-flow is unavailable or unusable, use any new unique username. Use this username throughout the following steps in this article.
    • If you have a no-reply email address defined in the Management Console, use that email address. If not, use any email address, such as web-flow@my-company.com. The email address does not need to be valid.
    • The PGP key cannot be protected by a passphrase.
  2. Define the key as an environment variable for GitHub Enterprise Server, replacing <YOUR-KEY-ID> with the GPG key ID.

    Shell
    ghe-config "secrets.gpgverify.web-signing-key" "$(gpg --export-secret-keys -a <YOUR-KEY-ID> | awk '{printf "%s\\n", $0}')"
  3. Update the settings for GitHub Enterprise Server's commit signing service.

    Shell
    sudo consul-template -once -template /etc/consul-templates/etc/nomad-jobs/gpgverify/gpgverify.hcl.ctmpl:/etc/nomad-jobs/gpgverify/gpgverify.hcl
     
    nomad job run /etc/nomad-jobs/gpgverify/gpgverify.hcl
  4. Enable web commit signing.

    Shell
    ghe-config app.github.web-commit-signing-enabled true
  5. Apply the configuration, then wait for the configuration run to complete.

    Shell
    ghe-config-apply
  6. Create a new user on your GitHub Enterprise Server instance via built-in authentication or external authentication. For more information, see "About authentication for your enterprise."

    • The user's username must be the same username you used when creating the PGP key in step 1 above, for example, web-flow.
    • The user's email address must be the same address you used when creating the PGP key.
  7. Run the following command, replacing KEY-ID with your PGP key ID.

    Shell
    gpg --armor --export KEY-ID
  8. Copy your PGP key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

  9. Sign into GitHub Enterprise Server as the user created for web commit signing, for example, web-flow.

  10. Add the public PGP key to the user's profile. For more information, see "Adding a GPG key to your GitHub account."

    Note: Do not remove other public keys from the list of GPG keys. If a public key is deleted, any commits signed with the corresponding private key will no longer be marked as verified.

  11. From an administrative account on GitHub Enterprise Server, in the upper-right corner of any page, click .

    Screenshot of the rocket ship icon for accessing site admin settings

  12. If you're not already on the "Site admin" page, in the upper-left corner, click Site admin.

    Screenshot of "Site admin" link

  13. In the left sidebar, click Management Console. Management Console tab in the left sidebar

  14. At the top of the page, click Settings. Settings tab

  15. In the left sidebar, click Email. Email tab

  16. Under "No-reply email address", type the same email address you used when creating the PGP key.

    Note: The "No-reply email address" field will only be displayed if you've enabled email for your GitHub Enterprise Server instance. For more information, see "Configuring email for notifications."

  17. Under the left sidebar, click Save settings.

    Screenshot of the save settings button in the Management Console

    Note: Saving settings in the Management Console restarts system services, which could result in user-visible downtime.

  18. Wait for the configuration run to complete.

    Configuring your instance

Rotating the private key used for web commit signing

  1. In the administrative shell, create a PGP key. Make note of the email address and key ID.

    Shell
    gpg --full-generate-key --pinentry-mode=loopback
    • Use the default key type and at least 4096 bits with no expiry.
    • Use the web commit signing user's username, for example, web-flow.
    • Use the no-reply email address defined in the Management Console, which should be the same as the email address of the web commit signing user, for example, web-flow.
    • The PGP key cannot be protected by a passphrase.
  2. Define the key as an environment variable for GitHub Enterprise Server, replacing <YOUR-KEY-ID> with the GPG key ID.

    Shell
    ghe-config "secrets.gpgverify.web-signing-key" "$(gpg --export-secret-keys -a <YOUR-KEY-ID> | awk '{printf "%s\\n", $0}')"
  3. Update the settings for GitHub Enterprise Server's commit signing service.

    Shell
    sudo consul-template -once -template /etc/consul-templates/etc/nomad-jobs/gpgverify/gpgverify.hcl.ctmpl:/etc/nomad-jobs/gpgverify/gpgverify.hcl
     
    nomad job run /etc/nomad-jobs/gpgverify/gpgverify.hcl
  4. Run the following command, replacing KEY-ID with your PGP key ID.

    Shell
    gpg --armor --export KEY-ID
  5. Copy your PGP key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

  6. Sign into GitHub Enterprise Server as the user created for web commit signing, for example, web-flow.

  7. Add the public PGP key to the user's profile. For more information, see "Adding a GPG key to your GitHub account."

    Note: Do not remove other public keys from the list of GPG keys. If a public key is deleted, any commits signed with the corresponding private key will no longer be marked as verified.

Disabling web commit signing

You can disable web commit signing for your GitHub Enterprise Server instance.

  1. In the administrative shell, run the following command.

    Shell
    ghe-config app.github.web-commit-signing-enabled false
  2. Apply the configuration.

    Shell
    ghe-config-apply