Signing git commit is something that I have already done in the past following Github Documentation. However, last week I stumble upon Garrick’s post “Signed and verified: signed git commits with Keybase and RStudio” which explains how to use Keybase for signing commit for Mac OS. As often, following a tutorial for Windows user is not as easy. This post is about the step I used to make it happen on Windows 10. It is mainly a resource for my future self but it may be useful to other too.

About the tooling

I am working on Windows 10 and using Powershell 7 in Windows Terminal for most of my CLI task.

If you are trying to setup all this in WSL, following Garrick’s post should work fine as it is linux based.

Gpg on a Windows 10 computer

After several tries, I think the best working tool is Gpg4Win . As I used winget (and scoop) as package manager, I installed it using

winget install gpg4win -i

I used -i flag for triggering interactive installation to unselect installation of Outlook and IE pluggins which I don’t use. Aim is to only install Gpg and Kleopatra (GUI on Windows for GPG).

If you don’t use a package manager, you can also download directly from https://www.gpg4win.org/

Keybase for managing identities

Keybase (https://keybase.io/) is a “a key directory that maps social media identities to encryption keys (including, but not limited to PGP keys) in a publicly auditable manner."¹

winget install keybase

After that you can follow Garrick’s blog post

Creating GPG / PGP key

keybase pgp gen --multi

This will run gpg for you to store the private key. Enter a passphrase.

If you open kleopatra GUI, you’ll see the new created GPG key in your keychain.
If you open keybase GUI, you’ll see the registered PGP key in your identities.

Setting up in Git

Follow A guide to securing git commits from tricking you on Windows

# Tell Git to use the key
git config --global user.signingkey <keyid>
# Tell Git to sign commit by default
git config --global commit.gpgsign true
# Tell Git to sign tags by default
git config --global tag.gpgsign true
# Tell Git to use the gpg program from gpg4win
git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"

Add your key to GitHub

keybase pgp export -q <keyid> | Set-Clipboard

And paste it in github.com/settings/keys when creating a New GPG key.

Start GPG agent on Windows startup

gpg-agent will be used by Git to sign the commit by opening a window to enter your passphrase. I am not sure why this process does not start on windows startup unfortunately. You’ll need to manually add it to startup program.

Following this resource is easy enough GPG on Windows - Start the agent on startup

Resources

• https://www.garrickadenbuie.com/blog/signed-verified-git-commits-keybase-rstudio/

• https://www.gpg4win.org/about.html

• https://www.ankursheel.com/blog/securing-git-commits-windows

• https://medium.com/@roneythomas/keybase-io-gpg-git-signing-on-windows-456cddde4a48

• https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account

---

1. https://en.wikipedia.org/wiki/Keybase ↩︎