For my first contribution to kubefirst (#712), I was asked to sign all commits in my PR. I wanted to avoid touching every commit one by one.

Here is how I did that:

Creating a gpg key

First I created a gpg key using:

1

> gpg --full-generate-key

You will be prompted for various information, such as name, email, etc. These should match your information on your GitHub Account.

Importing the GPG Key to GitHub

Once done, you will have to import the generated GPG public key to your GitHub profile. To do so, you wil have to output it, using the following commands

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# list all gpg-keys
> gpg --list-secret-keys --keyid-format=long
/home/morelly_t1/.gnupg/pubring.kbx
-----------------------------------
sec   rsa3072/37FE261E2B7BC685 2024-03-28 [SC]
      1EDC06C89C0F011027ECEB2437FE261E2B7BC685
uid                 [ultimate] Tom Morelly <tommorelly@gmail.com>
ssb   rsa3072/B45E75445BEE3DCD 2024-03-28 [E]

# export a specified key using its ID
> gpg --armor --export 37FE261E2B7BC685 # id from the previous command output
-----BEGIN PGP PUBLIC KEY BLOCK-----
ABSJFIJR324343
-----END PGP PUBLIC KEY BLOCK-----

You can then copy the public key (including the header & footer lines) and paste it in your GitHub GPG Settings (https://github.com/settings/keys)

Sign all commits in the PR

Last but not least, I had to sign all commits in the PR. I found a neat oneliner to archive that. This oneliner uses interactive rebasing to sign every commit:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# source: https://superuser.com/questions/397149/can-you-gpg-sign-old-commits

# find the Git hash until you want to sign all commits
> git log --oneline
f43a6286 (HEAD -> main, origin/main, origin/HEAD) fix(ci): terraform fmt recursive
847c043a fix(terraform): improve metaphor secrets
0940ba13 fix(terraform): terraform fmt & avoid depends_on
6a1c0338 (tag: v2.4.3, upstream/main) fix: cloudflare # last commit 

# gpg sign all commits until the specific Git Hash
> git rebase --exec 'git commit --amend --no-edit -n -S' -i 6a1c0338 # commit has from last commit

It will open up the interactive rebase TUI, you can double check and then proceed by confirming (usually closing the $EDITOR). If you have given your gpg-key at passphrase a window should open up, prompting you for the passphrase.

Once done, I efficiently signed all commits without touching every single one. You can once again double-check your history using, before you can push the commits (you will have to use --force, because the SHASUMS of the commits have been altered).

1

> git push --force

if everything worked correctly, GitHub should list your commits now as verified :

img

Sign commits per default

For all future commits, you can configure your git to sign all commits per default by running:

1

> git config commit.gpgsign true