Set up signed (verified) GitHub check-ins from Windows

Preconditions

Steps

  1. Install Gnu Privacy Guard (GnuPG) for Windows. Although Git Bash provides GPG, the version it came with was too old, so install the latest:
    https://www.gpg4win.org/get-gpg4win.html
  2. Open Git Bash.Check the gpg version (it is probably older than the one we just downloaded):
    $ gpg --version
    gpg (GnuPG) 1.4.22
  3. Tell Git to use our newer install of GPG:
    $ git config --global gpg.program "/C/Program Files (x86)/GnuPG/bin/gpg.exe"
  4. Insert GnuPG to the front of the PATH in .bash_profile:
    $ cd ~
    $ nano .bash_profile

    Add this to the end of the file and save:

    PATH="/C/Program Files (x86)/GnuPG/bin":$PATH
  5. Exit bash (close the window), start a new one up, and check the gpg version again:
    $ gpg --version
    gpg (GnuPG) 2.2.4
  6. Generate a new GPG key (gpg –full-generate-key then gpg –armor –export <key>). See this for step-by-step details:
    https://help.github.com/articles/generating-a-new-gpg-key/

    NOTE: I have found that on git-bash “gpg –full-generate-key” hangs indefinitely; hwoever, when I ran the gpg steps from git-cmd or generated the key from the Kleopatra user interface instead, everything worked fine.

  7. Tell GitHub about your key (gpg –armor –export then paste into GitHub): See https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/
  8. Tell Git (local) about your key (git config –global user.signingkey): See https://help.github.com/articles/telling-git-about-your-gpg-key/
  9. Autosign commits using GPG:
git config --global commit.gpgsign true

(If you are using other repositories that don’t require pgp signing, then leave out –global, but do this in your local git workspace for your project. If you forget this you need to specify the -S option every time you do git commit). See https://help.github.com/articles/signing-commits-using-gpg/ for more detail.