• 06 July 2025
• cheatsheet

REF:

• https://nickjanetakis.com/blog/signing-and-verifying-git-commits-on-the-command-line-and-github#cheatsheet

• Signing and Verifying Git Commits on the Command Line and GitHub https://www.youtube.com/watch?v=4166ExAnxmo

• gpg --list-secret-keys --keyid-format=long list all existing GPG keys

• gpg --list-keys daftar key

• gpg --armor --export [GPG ID] > [filename].gpog.pub export gpg atau gpg --export --armor --out [filename].gpg.pub [GPG Key ID]

• gpg --full-generate-key create new GPG

  • choose RSA and RSA as default
  • choose long key between 2048 - 4096
  • choose expiration, ex: 15m (15 month)
  • fill in identity
  • add GPG Key password

• gpg --edit-key [GPG ID] untuk edit key.

  • Didalam, bisa gunakan help atau ? untuk melihat perintah di GPG. Contohnya: adduid untuk menambahkan UID (name, email dan comment) baru

• gpg --fingerprint untuk melihat fingerprint, yang dapat digunakan oleh orang (taruh di id card/email)

• gpg --import theirname.gpg.pub import gpg public key

Add GPG into BASH

echo 'export GPG_TTY=$(tty)' >> ~/.zshrc && source ~/.zshrc

Backup GPG Key

gpg --armor --output gpg_sec_key.gpg --export XXXXXXXXXXX
gpg --armor --output gpg_sec_key.gpg --export-secret-keys XXXXXXXXXXX

Allow GIT to SIGN

git config --global gpg.format openpgp
git config --global user.signingkey XXXXXXXXXXXXX

git config --global commit.gpgsign true
git config --global tag.gpgsign true

Signed commit

# If your git and gpg key email addresses are different this will fail until
# you configure your git signingkey (covered on video).
git commit -S -m "Signed commit"
git log --show-signature

Unsigned tag

git tag lightweight-tag
git show lightweight-tag

git tag -am "" unsigned-annotated-tag
git show unsigned-annotated-tag

Signed tag

git tag -sm "" signed-tag
git show signed-tag

Overriding the auto-sign config options

git commit --no-gpg-sign -m "Unsigned commit"
git tag --no-sign unsigned-lightweight-tag

Verifying signatures when merging a branch with git

# It's expected that you already modified your .gitconfig to auto-sign commits.
git checkout -b feaure-something
touch somefile && git add -A && git commit -m "Hello world"
git checkout master
git merge --verify-signatures feature-something