About web commit signing
If you enable web commit signing, GitHub Enterprise Server will automatically use GPG to sign commits users make on the web interface of your GitHub Enterprise Server instance. Commits signed by GitHub Enterprise Server will have a verified status. For more information, see "About commit signature verification."
You can enable web commit signing, rotate the private key used for web commit signing, and disable web commit signing.
Enabling web commit signing
-
In the administrative shell, create a PGP key. Make note of the email address and key ID.
Bash gpg --full-generate-key --pinentry-mode=loopback
gpg --full-generate-key --pinentry-mode=loopback
- Use the default key type and at least
4096
bits with no expiry. - Use
web-flow
as the username. Ifweb-flow
is unavailable or unusable, use any new unique username. Use this username throughout the following steps in this article. - If you have a no-reply email address defined in the Management Console, use that email address. If not, use any email address, such as
web-flow@my-company.com
. The email address does not need to be valid. - The PGP key cannot be protected by a passphrase.
- Use the default key type and at least
-
Define the key as an environment variable for GitHub Enterprise Server, replacing
<YOUR-KEY-ID>
with the GPG key ID.Bash ghe-config "secrets.gpgverify.web-signing-key" "$(gpg --export-secret-keys -a <YOUR-KEY-ID> | awk '{printf "%s\\n", $0}')"
ghe-config "secrets.gpgverify.web-signing-key" "$(gpg --export-secret-keys -a <YOUR-KEY-ID> | awk '{printf "%s\\n", $0}')"
-
Update the settings for GitHub Enterprise Server's commit signing service.
Bash sudo consul-template -once -template /etc/consul-templates/etc/nomad-jobs/gpgverify/gpgverify.hcl.ctmpl:/etc/nomad-jobs/gpgverify/gpgverify.hcl nomad job run /etc/nomad-jobs/gpgverify/gpgverify.hcl
sudo consul-template -once -template /etc/consul-templates/etc/nomad-jobs/gpgverify/gpgverify.hcl.ctmpl:/etc/nomad-jobs/gpgverify/gpgverify.hcl nomad job run /etc/nomad-jobs/gpgverify/gpgverify.hcl
-
Enable web commit signing.
Bash ghe-config app.github.web-commit-signing-enabled true
ghe-config app.github.web-commit-signing-enabled true
-
Create a new user on your GitHub Enterprise Server instance via built-in authentication or external authentication. For more information, see "About identity and access management."
- The user's username must be the same username you used when creating the PGP key in step 1 above, for example,
web-flow
. - The user's email address must be the same address you used when creating the PGP key.
- The user's username must be the same username you used when creating the PGP key in step 1 above, for example,
-
Run the following command, replacing KEY-ID with your PGP key ID.
Bash gpg --armor --export KEY-ID
gpg --armor --export KEY-ID
-
Copy your PGP key, beginning with
-----BEGIN PGP PUBLIC KEY BLOCK-----
and ending with-----END PGP PUBLIC KEY BLOCK-----
. -
Sign into GitHub Enterprise Server as the user created for web commit signing, for example,
web-flow
. -
Add the public PGP key to the user's profile. For more information, see "Adding a GPG key to your GitHub account."
Note: Do not remove other public keys from the list of GPG keys. If a public key is deleted, any commits signed with the corresponding private key will no longer be marked as verified.
-
From an administrative account on GitHub Enterprise Server, in the upper-right corner of any page, click .
-
If you're not already on the "Site admin" page, in the upper-left corner, click Site admin.
-
In the " Site admin" sidebar, click Management Console.
-
In the "Settings" sidebar, click Email.
-
Under "No-reply email address", type the same email address you used when creating the PGP key.
Note: The "No-reply email address" field will only be displayed if you've enabled email for your GitHub Enterprise Server instance. For more information, see "Configuring email for notifications."
-
Under the "Settings" sidebar, click Save settings.
Note: Saving settings in the Management Console restarts system services, which could result in user-visible downtime.
-
Wait for the configuration run to complete.
Rotating the private key used for web commit signing
-
In the administrative shell, create a PGP key. Make note of the email address and key ID.
Bash gpg --full-generate-key --pinentry-mode=loopback
gpg --full-generate-key --pinentry-mode=loopback
- Use the default key type and at least
4096
bits with no expiry. - Use the web commit signing user's username, for example,
web-flow
. - Use the no-reply email address defined in the Management Console, which should be the same as the email address of the web commit signing user, for example,
web-flow
. - The PGP key cannot be protected by a passphrase.
- Use the default key type and at least
-
Define the key as an environment variable for GitHub Enterprise Server, replacing
<YOUR-KEY-ID>
with the GPG key ID.Bash ghe-config "secrets.gpgverify.web-signing-key" "$(gpg --export-secret-keys -a <YOUR-KEY-ID> | awk '{printf "%s\\n", $0}')"
ghe-config "secrets.gpgverify.web-signing-key" "$(gpg --export-secret-keys -a <YOUR-KEY-ID> | awk '{printf "%s\\n", $0}')"
-
Update the settings for GitHub Enterprise Server's commit signing service.
Bash sudo consul-template -once -template /etc/consul-templates/etc/nomad-jobs/gpgverify/gpgverify.hcl.ctmpl:/etc/nomad-jobs/gpgverify/gpgverify.hcl nomad job run /etc/nomad-jobs/gpgverify/gpgverify.hcl
sudo consul-template -once -template /etc/consul-templates/etc/nomad-jobs/gpgverify/gpgverify.hcl.ctmpl:/etc/nomad-jobs/gpgverify/gpgverify.hcl nomad job run /etc/nomad-jobs/gpgverify/gpgverify.hcl
-
Run the following command, replacing KEY-ID with your PGP key ID.
Bash gpg --armor --export KEY-ID
gpg --armor --export KEY-ID
-
Copy your PGP key, beginning with
-----BEGIN PGP PUBLIC KEY BLOCK-----
and ending with-----END PGP PUBLIC KEY BLOCK-----
. -
Sign into GitHub Enterprise Server as the user created for web commit signing, for example,
web-flow
. -
Add the public PGP key to the user's profile. For more information, see "Adding a GPG key to your GitHub account."
Note: Do not remove other public keys from the list of GPG keys. If a public key is deleted, any commits signed with the corresponding private key will no longer be marked as verified.
Disabling web commit signing
You can disable web commit signing for your GitHub Enterprise Server instance.
-
In the administrative shell, run the following command.
Bash ghe-config app.github.web-commit-signing-enabled false
ghe-config app.github.web-commit-signing-enabled false
-
Apply the configuration.
Bash ghe-config-apply
ghe-config-apply