How to sign commits for any open source Projects

Adding GPG key and configuring with your repository

·

3 min read

In the Open source world, signing your commits is very important for compliance, and validating the person making the commit. A few days back, I was trying to contribute to the Direktiv Repository. I tried to follow the general way of making PR but noticed that I needed to set my computer up more to be able to sign my commits. This guide will help you set up your computer so that you can start committing to any open source project and won't have to worry if your commits are not signed :

  1. Forking the Repo
  2. Cloning into the Local system.
    git clone https://github.com/itisaby/direktiv
    
  3. Changing the Branch
    git checkout -b <Branch Name>
    
  4. Making the Appropriate Changes
  5. Staging it using
    git add .
    
  6. Committing the code using
    git commit -sm "MESSAGE"
    
  7. Finally pushing it on the Forked repo in the branch we created locally
    git push origin <Branch Name>
    
  8. Then I got a Create PR Option in my forked repo: image.png
  9. But, after creating a PR I got to see this: image.png As you can see, it says the merging is blocked, as we need to have a Signed Commit. You can check more about it by reading this doc After that, I reverted back to the old version using
    git revert <Commit ID>
    
    then I made the changes and tried this command:
    git commit -S -sm "update CONTRIBUTORS.md"
    
    OR you can even create a new branch, make changes to it, and try to use the above command for a signed commit. But the moment I ran that command I found this error: image.png As you can see from the error message that the gpg key failed. This is because we haven't added any GPG key in our local system, through which we can make signed commits. So now we need to see how to add a GPG key to our local system and make signed commits.

    Adding GPG Key in our Local System

  10. First check whether you have an existing gpg key with this command:
    gpg --list-secret-keys --keyid-format=long
    
    If you don't have any gpg key you will see this: image.png
  11. Since we don't have a gpg key, so we need to generate it using this command:
    gpg --full-generate-key
    
    Now we get to choose the option: image.png Choose the first one that is the default: image.png Choose All the default option and then it will ask for your name, email, and some comments. Finally, it will ask for a passphrase where you can write a password. image.png image.png Now if you want to check the generated key you can check by using the previous command:
    gpg --list-secret-keys --keyid-format=long
    
    It will show like this: image.png The Key which is generated it is AADE3CB05ECB0F7A615D05619A6E90FEDC0562FD in this case, it will be different in your case.
  12. We need to run the below command, which prints the GPG key ID in ASCII armour format:
    gpg --armor --export AADE3CB05ECB0F7A615D05619A6E90FEDC0562FD
    
    You will be able to see your gpg key in the ASCII armour format. Now you need to add that key to your GitHub, so copy it down from
    -----BEGIN GPG PUBLIC KEY BLOCK-----
    .
    .
    .
    ---END GPG PUBLIC KEY BLOCK-----
    
    to add to your GitHub account, you can check by following the steps in this Doc
  13. Tell Git about the GPG key.
    git config --global user.signingkey AADE3CB05ECB0F7A615D05619A6E90FEDC0562FD
    
  14. You need to configure the gpg with all your commits:
    git config --global gpg.program gpg
    
    You can read about it more in this Link

After this, Now try to commit your changes using:

git commit -sm "add terraform template(example)" -S

image.png

Did you find this article valuable?

Support Arnab's Blog by becoming a sponsor. Any amount is appreciated!

Â