With the increasing prevalence of inserting malicious code into commonly-used open source projects on the rise, it might be time to enforce commit signing for your open source project. This prevents someone from spoofing your identity on commits they make. If it’s not signed with your key, then it’s not verified and the UI will show this.
When setting up gpg (v2) to automatically sign your commit messages, you may run into an error:
error: gpg failed to sign the data fatal: failed to write commit object
If you re-run your
git commit command with
GIT_TRACE=1, you can see it
gpg --status-fd=2 -bsau <your-signing-key> but failing.
The cause of this is the
pinentry process. By default
gpg uses the
pinentry program which requires a TTY and access to the shell’s stdin.
This doesn’t appear to function properly on a Mac. Instead, you should use
$ brew install pinentry-mac $ echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf $ gpgconf --kill gpg-agent
git commit command and you should see a GUI pop-up to request
your GPG key’s passphrase. Enter it and the commit will succeed!
You can setup automatic signing with the following commands:
$ git config --global user.signingkey <key_id> $ git config --global commit.sign true $ git config --global commit.gpgSign true
Make sure to upload your GPG key to your GitHub account:
$ gpg --armor --export <key_id>