Skip to main content

Configuring web commit signing

You can enable auto-signing of commits made in the web interface of GitHub Enterprise Server.

Site administrators can configure web commit signing for tu instancia de GitHub Enterprise Server.

About web commit signing

If you enable web commit signing, GitHub Enterprise Server will automatically use GPG to sign commits users make on the web interface of tu instancia de GitHub Enterprise Server. Commits signed by GitHub Enterprise Server will have a verified status. Para obtener más información, consulta "Acerca de la verificación de firmas en las confirmaciones."

You can enable web commit signing, rotate the private key used for web commit signing, and disable web commit signing.

Enabling web commit signing

  1. In the administrative shell, create a PGP key. Make note of the email address and key ID.

    Shell
    gpg --full-generate-key --pinentry-mode=loopback
    • Use the default key type and at least 4096 bits with no expiry.
    • Use web-flow as the username.
    • If you have a no-reply email address defined in the Consola de administración, use that email address. If not, use any email address, such as web-flow@my-company.com. The email address does not need to be valid.
    • The PGP key cannot be protected by a passphrase.
  2. Define the key as a environment variable for GitHub Enterprise Server, replacing <YOUR-KEY-ID> with the GPG key ID.

    Shell
    ghe-config "secrets.gpgverify.web-signing-key" "$(gpg --export-secret-keys -a <YOUR-KEY-ID> | awk '{printf "%s\\n", $0}')"
  3. Update the settings for GitHub Enterprise Server's commit signing service.

    Shell
    sudo consul-template -once -template /etc/consul-templates/etc/nomad-jobs/gpgverify/gpgverify.hcl.ctmpl:/etc/nomad-jobs/gpgverify/gpgverify.hcl
    
    nomad job run /etc/nomad-jobs/gpgverify/gpgverify.hcl
  4. Enable web commit signing.

    Shell
    ghe-config app.github.web-commit-signing-enabled true
  5. Apply the configuration, then wait for the configuration run to complete.

    Shell
    ghe-config-apply
  6. Create a new user on tu instancia de GitHub Enterprise Server via built-in authentication or external authentication. Para obtener más información, consulta la sección "Acerca de la autenticación para tu empresa".

    • The user's username must be web-flow.
    • The user's email address must be the same address you used for the PGP key.
  7. Run the following command, replacing KEY-ID with your PGP key ID.

    Shell
    gpg --armor --export KEY-ID
  8. Copy your PGP key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

  9. Sign into GitHub Enterprise Server as the web-flow user.

  10. Add the public PGP key to the user's profile. For more information, see "Adding a new GPG key to your GitHub account."

    Note: Do not remove other public keys from the list of GPG keys. If a public key is deleted, any commits signed with the corresponding private key will no longer be marked as verified.

  11. Desde una cuenta administrativa de GitHub Enterprise Server, en la esquina superior derecha de cualquier página, haz clic en .

    Captura de pantalla del icono de cohete para acceder a los ajustes administrativos

  12. Si aún no estás en la página de "Administrador de sitio", en la esquina inferior izquierda, haz clic en Administrador de sitio.

    Captura de pantalla del enlace de "Administrador de sitio"

  13. En la barra lateral izquierda, haz clic en Consola de administración. pestaña Consola de administración en la barra lateral izquierda

  14. En la parte superior de la página, haz clic en Parámetros. Pestaña Parámetros

  15. En la barra lateral de la izquierda, haz clic en Correo electrónico. Pestaña Correo electrónico

  16. Under "No-reply email address", type the same email address you used for the PGP key.

    Note: The "No-reply email address" field will only be displayed if you've enabled email for tu instancia de GitHub Enterprise Server. Para obtener más información, consulta la sección "Configurar las notificaciones de correo electrónico".

  17. Debajo de la barra lateral izquierda, da clic en Guardar configuración.

    Captura de pantalla del botón para guardar los ajustes en la Consola de administración

    Nota: El guardar los ajustes en la Consola de administración restablece los servicios de sistema, lo cual podría dar como resultado un tiempo de inactividad visible.

  18. Espera a que la configuración se ejecute por completo.

    Configurar tu instancia

Rotating the private key used for web commit signing

  1. In the administrative shell, create a PGP key. Make note of the email address and key ID.

    Shell
    gpg --full-generate-key --pinentry-mode=loopback
    • Use the default key type and at least 4096 bits with no expiry.
    • Use web-flow as the username.
    • Use the no-reply email address defined in the Consola de administración, which should be the same as the email address of the web-flow user.
    • The PGP key cannot be protected by a passphrase.
  2. Define the key as a environment variable for GitHub Enterprise Server, replacing <YOUR-KEY-ID> with the GPG key ID.

    Shell
    ghe-config "secrets.gpgverify.web-signing-key" "$(gpg --export-secret-keys -a <YOUR-KEY-ID> | awk '{printf "%s\\n", $0}')"
  3. Update the settings for GitHub Enterprise Server's commit signing service.

    Shell
    sudo consul-template -once -template /etc/consul-templates/etc/nomad-jobs/gpgverify/gpgverify.hcl.ctmpl:/etc/nomad-jobs/gpgverify/gpgverify.hcl
    
    nomad job run /etc/nomad-jobs/gpgverify/gpgverify.hcl
  4. Run the following command, replacing KEY-ID with your PGP key ID.

    Shell
    gpg --armor --export KEY-ID
  5. Copy your PGP key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

  6. Sign into GitHub Enterprise Server as the web-flow user.

  7. Add the public PGP key to the user's profile. For more information, see "Adding a new GPG key to your GitHub account."

    Note: Do not remove other public keys from the list of GPG keys. If a public key is deleted, any commits signed with the corresponding private key will no longer be marked as verified.

Disabling web commit signing

You can disable web commit signing for tu instancia de GitHub Enterprise Server.

  1. In the administrative shell, run the following command.

    Shell
    ghe-config app.github.web-commit-signing-enabled false
  2. Aplica la configuración

    Shell
    ghe-config-apply