Securing git commits from tricking you on Windows

This entry was posted on
  • Tutorial
  • git
  • tips and tricks

Did you know that by default you can check in code as anyone in your git repository? All you need to do is run git config.username = {username} and git config.email={email}and you can trick git into thinking you are someone else. For a better understanding of what kinds of problems this can create, go and read Mike Gerwitz’s article, A Git Horror Story. Luckily, Git allows you to resolve this issue pretty easily - by letting you sign commits using GPG(GNU Privacy Guard).

The GitHub help article Signing commits using GPG is a pretty good guide on how to set it up. But, it requires you to use the git bash console. So, what do you do if like me you are on a Windows machine and would prefer to use a GUI? Don’t fear this guide will tell you what you need to know.

Using Gpg4win with Git needs a little bit of configuration so let’s start configuring it.

Setup Kleopatra

  1. Download Gpg4win and install it using the installer.

  2. Go to the Start menu and start Kleopatra

  3. Click on File -> New Key Pair

Kleopatra
Kleopatra

  1. Click on Create a Personal OpenPGP key pair

Key Pair Creation
Key Pair Creation

  1. Enter details and click next.

Enter details
Enter details

  1. Review and Create the key. This will show a popup asking you to enter a passphrase to protect the key.

  2. Enter a passphrase and click Ok

Enter Paraphrase
Enter Paraphrase

  1. At this point, the key pair should be created. Click on Finish.

You can create a backup of the key and save it somewhere safe.

Key pair Created
Key pair Created

  1. You should now see the key in Kleopatra

Key in Kleopatra
Key in Kleopatra

  1. Keep a note of the Key-ID. We will need it in a minute.

This is D1E4471 in the screenshot above

  1. Double click the key to see the certificate details

Key Details
Key Details

  1. Click on export and copy the public gpg key.

_Make sure you copy everything including `