This blog post explains how I set up and use Git CLI with GitHub. I am currently contracting for a company where security is of the essence. This post will show how to utilize SSH and GPG, and set up aliases to make the day-to-day git operations as effortless as possible.
I use the Windows Subsystem for Linux(WSL), and an Ubuntu distro for all my Git commands. See my previous post: Windows setup for working effectively with K8s on how to set up WSL. I like to rely on SSH when authentications towards GitHub, which is shipped with the Ubuntu distro. Setting it up is easy.
I choose the default for the location and empty text for the passphrase. Copy the content of .ssh/id_rsa.pub. Go to SSH and GPG keys under your profile in GitHub and create a new SSH key. Paste the content and provide a descriptive name.
SSH GitHub authorization when using SAML SSO
You will need to authorize the SSH key with the organization when using SAML SSO. This is good since we do not want SSH access for a developer who has left the company. The SSH key is only invalid when the developer is removed from the IdP(Azure AD). Good stuff. Follow the guide on Authorizing an SSH key for use with SAML single sign-on - GitHub Docs to get it done.
GPG is a tool that the developer can use for public-private key encryption and signing. It also comes shipped with Ubuntu. We will use it to sign our commits. The other team members and GitHub will verify that the commits were indeed from you and untampered.
GitHub has an excellent guide. Follow the steps outlined here: Generating a new GPG key - GitHub Docs.
We need to tell Git to use the key. Again GitHub has us covered: Telling Git about your signing key - GitHub Docs. This step will match your GPG email with the one in GitHub. It will not be possible for you to fake your email.
Git Aliases and config
Now that GPG and SSH are up and running, let us create some git aliases.
> git config --global alias.st status
> git config --global alias.ci 'commit -S -s'
> git config --global alias.ls 'log --show-signature'
The -s will automatically add a line in your commit message with your full name and email defined in your Git config. What is the reason for using this feature when signing with GPG? Strictly speaking, it is not verifying your identity like GPG signing (-S). However, there are open source projects that require it. Feel free to skip it.
We also need to set the user email and name in git config.
> git config --global user.email "firstname.lastname@example.org"
> git config --global user.name "Fredrik Klingenberg"
> git config --global core.editor vim
We want to use vim as the default commit message editor.
Turn off gpg passphrase.
It can be a bit annoying to have to type in the gpg passphrase. Given that you lock your computer whenever you leave it, you can turn it off.
> gpg --passwd email@example.com
After typing in the password once, press enter on the following questions to leave the passphrase empty.
When viewing commits in GitHub you will see the verified sign:
The commits that GitHub creates when doing changes directly online will also be signed, e.g.,