‹‹ All posts

GitHub, GitLab commit verification with Keybase

09 of June, 2018

Keybase is an awesome free key directory, which allows to prove web identities, have encrypted chats and also offers secure storage system. The support for GitHub identity verification comes out of the box, but to use it to sign your git commits on GitHub and GitLab you have to do some extra steps. Here’s how.

Note: this article assumes the reader already have github and keybase accounts and have git and github setup on the machine already.

1. Install gpg and keybase

brew install gnupg
brew cask install keybase
keybase login

2. Generate the new key

Make sure to use email, which is already already associated to your github and gitlab accounts, so that you would not need to do an extra verification step.

keybase pgp gen --multi

3. Newly generated key should be listed

Note it’s ID, it will be used in the rest of the article.

keybase pgp list

4. Add key to GPG

In following command replace %%Keybase_key_ID%% token with the ID of the key you are going to use from the list.

export KEYBASEKEYID=%%Keybase_key_ID%%
export GPG_TTY=$(tty)
keybase pgp export -q $KEYBASEKEYID | gpg --import
keybase pgp export -q $KEYBASEKEYID --secret | gpg --allow-secret-key-import --import
gpg --list-secret-keys

5. New should be listed in GPG

gpg --list-keys

5. Test it all works

In following command replace %%GPG_key_ID%% token with the GPG key ID. From gpg list command in the output like `

export GPGKEYID=%%GPG_key_ID%%
echo "test" | gpg --clearsign --local-user $GPGKEYID

6. Configure git to sign the commits with this key by default

git config --global gpg.program gpg
git config --global user.signingkey $GPGKEYID
git config --global commit.gpgsign true

7. Add the key to GitHub

keybase pgp export -q $KEYBASEKEYID | pbcopy
open https://github.com/settings/keys

8. Add the key to GitLab

open https://gitlab.com/profile/gpg_keys

9. Test all works for next commit your are going to make

git commit

On any of other machines you own you can reuse your existing key. Follow the same steps, but skip #2, #7 and #8. I wrote this mostly as a reminder for myself. The article is heavily based on this, but there is a gotcha from here too. Hope you found this helpful too.

comments powered by Disqus