Signing your TAG with Git - MacOSX

Recently I was asked to start versioning our master with tags and while doing some research about it I found a relevant blog post from Mike Gerwitz Git Horror Story about signing git commits.

I won't get inside the subject but I think signing at least your tags is a good initial step towards security.

In this guide you will:
- Install GPG (Gnu Privacy Guard)
- Create a signed key
- Create a signed tag
- Push tag to git server

You should already have git installed, of course.

So let's get started.

Installing MacGPG

You should follow MacGPG instructions at MacGPG at Sourceforge

Or if you like tools that solves your problems hidding the neat part use GPG Tools, altough I personally didn't test it.

Creating a signed key

Before we can really use tag command we must create a key, in a similar way that we do when using ssh private keys for GitHub.

In a terminal use:

gpg --gen-key

The terminal should ask you to select your key type like this:

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?

The default selection is prefered in this case, unless you REALLY KNOWS why you would want to choose other options.

Next he asks you to choose a size:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

I guess 2048 is good enough for me, pick a size you need.

Now it will asks for an expire date, even if you have really strong reasons for not setting an expire date THINK AGAIN.

Please specify how long the key should be valid.
0 = key does not expire
= key expires in n daysw = key expires in n weeksm = key expires in n monthsy = key expires in n years Key is valid for? (0)

On this step you need to use your REAL information: name, email and passphrase. A comment can be inserted also, but isn't required (I recommend using it to differ this key amongst other keys).

You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de="">

Type O when you have finished and the terminal will prompt for a passphrase
And you're done for this step, let's create some tags.

Type O when you have finished and the terminal will prompt for a passphrase

And you're done for this step, let's create some tags.

Creating Tags with Git

I won't go in deep details about git tags, so if you want to read some about the subject first this is the right place: Git Basics Tagging

First you should get your key identifier, run the following command

gpg --list-secret-keys

This should print anything similar to:

sec 2048R/8EE30EAB 2013-07-16 [expires: 2015-07-16] uid Name (Comment) <youremail@email.com=""> ssb 2048R/hexvalueB 2013-07-16

Copy the 8EE30EAB from sec (yours probably is different)

Go to your repository folder on terminal and config git to use this key (remove the --global param to apply only for current repository)

git config --global user.signingkey 8EE30EAB

Finally create the tag

git tag -s v1.5 -m 'my signed 1.5 tag'

Show it with

git show v1.5

Push it with

git push origin v1.5

If you have more than one tag you can use

git push origin --tags

And that's it. If you have any problems leave it on comments I'll be glad to help if I can.