Automatic Git GPG Signing

This guide covers how to sign your Git commits with GPG automatically when using Cygwin on Windows. The goal is to avoid typing the password repetitively even when Cygwin does not provide the gpg-agent.

What is Git GPG Signing?

Git supports an extra security layer:
https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

If you are a GitHub user you can read their guide on GPG signing here:
https://help.github.com/articles/generating-a-gpg-key/

I will not dive into detail describing what GPG signing is and why you want it, but in short you want this feature.

Automating the Process

Setting up basic GPG signing is pretty easy. Once you have got that covered you will want to automate signing so that it happens automatically. The following configuration commands will make sure you sign all commits always:

  • git config –global commit.gpgSign true
  • git config –global user.signingkey YourSigningKeyHere

This however means you will have to type your GPG key password every time you can commit something. That quickly gets boring. Using a key agent seems to be the way to go.

Cygwin lacks a GPG Agent

If you are a Windows Cygwin user like me you will bump into the unfortunate situation where no key agent is available to help you. Key agents are great. I personally use KeePass. But KeePass does not support GPG keys and Cygwin does not offer a packaged solution either.

Solution by Proxy

To solve this problem I whipped up the following solution:

  • git config –global gpg.program /home/Olof/autogpg.sh

And this is what autogpg.sh looks like:

#!/bin/bash

# Call gpg using the same argument and stdin.
# https://git-scm.com/docs/git-config
# https://www.gnupg.org/documentation/manpage.html
# --batch : Use batch mode. Never ask, do not allow interactive commands.
# --no-tty : Make sure that the TTY (terminal) is never used for any output.
# --yes : Assume "yes" on most questions. 
# --passphrase : Write your password here.
# $@ : Use the same arguments.
# <&0 : Use the same stdin.

gpg --batch --no-tty --yes --passphrase YourGPGPasswordHere $@ <&0

# Finally we exit with the same code as gpg.
exit $?

The solution is ugly and a bit insecure but gets the job done. We make use of the git configuration option “gpg.program” to proxy the gpg executable. The proxy supplies the password.

Insecure

The downside with this solution is that you store your GPG password in clear text in a file on your hard drive. So if you do make use of this solution you should make sure to use that specific GPG key for this purpose only.

I tried finding a way to embed the password inside KeePass but gave up after a couple of hours. This insecure solution will have to do for now.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *