Signing your git commits is the best way to prevent impersonation attacks. Let's dive into setting it up via GPG.
You're going to need Homebrew. Get it here if you don't already have it installed.
Install GPG and pinentry-mac via brew
Ensuring it doesn't break
Sometimes GPG stomps its feet and cries out something about “tty” and “invalid” but the following instructions would shut it up.
Set pinentry-mac as the desired pin entry program:
Creating your keypair!
gpg --full-gen-key to pull up the key generation tool. Follow the choices made below (apart from the personal details).
Exporting your ID
After the generation of your keys above, run
gpg -K --keyid-format SHORT to get a list of your key IDs.
Copy your key ID and fingerprint, respectively. Follow the following example to decipher the output.
Exporting your Public Key
With the ID from before, run the following command
gpg --armor --export [Key ID].
You should see an output similar to this;
Copy the entire block, from the first dash of the
BEGIN text to the last dash of the
This is what you will paste in your GitHub (Or your preferred version control cloud hosting platform) settings.
Setting up Git
Configure signing program
Run the following command to set the default GPG program for git;
git config --global gpg.program $(which gpg)
Configure signing key
Using your key fingerprint from way earlier, run the following command
git config --global user.signingkey [Key Fingerprint]
Configure signing behaviour
For best practice, run the following command to enable signing all commits by default (as opposed to having to type the
-S flag for each command).
git config --global commit.gpgsign true
Setting up GitHub
- Visit your GPG keys settings page here.
- Click on the New GPG Key button
- Paste your public key from earlier, click on Add GPG key
(Complete security verification, if necessary)
- Enable “Vigilant mode”
When you perform a commit (e.g.
git commit -S -m "Commit Message Here"), you'll be prompted by the pinentry-mac prompt for your key password. Only after a successful authentication will the commit be signed and ready to go!
Set up commit signing for VS Code
Open up your user preferences UI (⌘ + ,) and enable the Git: Enable Commit Signing option!
- Thanks to Troy Fontaine's guide for the pinentry fix