Skip to main content

Configuring web commit signing

You can enable auto-signing of commits made in the web interface of GitHub Enterprise Server.

Site administrators can configure web commit signing for GitHub Enterprise Serverインスタンス.

About web commit signing

If you enable web commit signing, GitHub Enterprise Server will automatically use GPG to sign commits users make on the web interface of GitHub Enterprise Serverインスタンス. Commits signed by GitHub Enterprise Server will have a verified status. 詳細については、「コミット署名の検証について」を参照してください。

You can enable web commit signing, rotate the private key used for web commit signing, and disable web commit signing.

Enabling web commit signing

  1. In the administrative shell, create a PGP key. Make note of the email address and key ID.

    Shell
    gpg --full-generate-key --pinentry-mode=loopback
    • Use the default key type and at least 4096 bits with no expiry.
    • Use web-flow as the username.
    • If you have a no-reply email address defined in the Management Console, use that email address. If not, use any email address, such as web-flow@my-company.com. The email address does not need to be valid.
    • The PGP key cannot be protected by a passphrase.
  2. Define the key as a environment variable for GitHub Enterprise Server, replacing <YOUR-KEY-ID> with the GPG key ID.

    Shell
    ghe-config "secrets.gpgverify.web-signing-key" "$(gpg --export-secret-keys -a <YOUR-KEY-ID> | awk '{printf "%s\\n", $0}')"
  3. Update the settings for GitHub Enterprise Server's commit signing service.

    Shell
    sudo consul-template -once -template /etc/consul-templates/etc/nomad-jobs/gpgverify/gpgverify.hcl.ctmpl:/etc/nomad-jobs/gpgverify/gpgverify.hcl
    
    nomad job run /etc/nomad-jobs/gpgverify/gpgverify.hcl
  4. Enable web commit signing.

    Shell
    ghe-config app.github.web-commit-signing-enabled true
  5. Apply the configuration, then wait for the configuration run to complete.

    Shell
    ghe-config-apply
  6. Create a new user on GitHub Enterprise Serverインスタンス via built-in authentication or external authentication. 詳しい情報については「Enterpriseでの認証について」を参照してください。

    • The user's username must be web-flow.
    • The user's email address must be the same address you used for the PGP key.
  7. Run the following command, replacing KEY-ID with your PGP key ID.

    Shell
    gpg --armor --export KEY-ID
  8. Copy your PGP key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

  9. Sign into GitHub Enterprise Server as the web-flow user.

  10. Add the public PGP key to the user's profile. For more information, see "Adding a GPG key to your GitHub account."

    Note: Do not remove other public keys from the list of GPG keys. If a public key is deleted, any commits signed with the corresponding private key will no longer be marked as verified.

  11. From an administrative account on GitHub Enterprise Server, in the upper-right corner of any page, click .

    Screenshot of the rocket ship icon for accessing site admin settings

  12. If you're not already on the "Site admin" page, in the upper-left corner, click Site admin.

    Screenshot of "Site admin" link

  13. 左のサイドバーでManagement Consoleをクリックしてください。 左のサイドバーのManagement Consoleタブ

  14. ページの上部でSettings(設定)をクリックしてください。 設定タブ

  15. 左のサイドバーで Email(メール)をクリックしてください。 メールタブ

  16. Under "No-reply email address", type the same email address you used for the PGP key.

    Note: The "No-reply email address" field will only be displayed if you've enabled email for GitHub Enterprise Serverインスタンス. 詳しい情報については、「通知のためのメールを設定する」を参照してください。

  17. 左のサイドバーの下でSave settings(設定の保存)をクリックしてください。

    Screenshot of the save settings button in the Management Console

    Note: Saving settings in the Management Console restarts system services, which could result in user-visible downtime.

  18. 設定が完了するのを待ってください。

    インスタンスの設定

Rotating the private key used for web commit signing

  1. In the administrative shell, create a PGP key. Make note of the email address and key ID.

    Shell
    gpg --full-generate-key --pinentry-mode=loopback
    • Use the default key type and at least 4096 bits with no expiry.
    • Use web-flow as the username.
    • Use the no-reply email address defined in the Management Console, which should be the same as the email address of the web-flow user.
    • The PGP key cannot be protected by a passphrase.
  2. Define the key as a environment variable for GitHub Enterprise Server, replacing <YOUR-KEY-ID> with the GPG key ID.

    Shell
    ghe-config "secrets.gpgverify.web-signing-key" "$(gpg --export-secret-keys -a <YOUR-KEY-ID> | awk '{printf "%s\\n", $0}')"
  3. Update the settings for GitHub Enterprise Server's commit signing service.

    Shell
    sudo consul-template -once -template /etc/consul-templates/etc/nomad-jobs/gpgverify/gpgverify.hcl.ctmpl:/etc/nomad-jobs/gpgverify/gpgverify.hcl
    
    nomad job run /etc/nomad-jobs/gpgverify/gpgverify.hcl
  4. Run the following command, replacing KEY-ID with your PGP key ID.

    Shell
    gpg --armor --export KEY-ID
  5. Copy your PGP key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

  6. Sign into GitHub Enterprise Server as the web-flow user.

  7. Add the public PGP key to the user's profile. For more information, see "Adding a GPG key to your GitHub account."

    Note: Do not remove other public keys from the list of GPG keys. If a public key is deleted, any commits signed with the corresponding private key will no longer be marked as verified.

Disabling web commit signing

You can disable web commit signing for GitHub Enterprise Serverインスタンス.

  1. In the administrative shell, run the following command.

    Shell
    ghe-config app.github.web-commit-signing-enabled false
  2. 設定を適用します。

    Shell
    ghe-config-apply