⭕Github Desktop

Setting up Github to sign commits when pushing to repos.

This tutorial requires one device of any in the following categories:

• YubiKey 5 Series

• YubiKey 5 FIPs Series

This tutorial requires the following software to be installed:

Software	Operating System
Github Desktop	Windows
Github Desktop	Linux
Git	Windows
Git	Mac
Git	Linux

❊ Why Sign Commits?

Code and commit signing does two things: it confirms who the author of the software is and proves that the code has not been altered or tampered with after it was signed. Both are extremely important for building trust from customers and safely distributing your software.

❊ Install Github Desktop

Github Desktop is a fairly straight-forward install. Download the program and then do a typical install.

❊ Install Git (bash)

Proceed to download and start the installation for Git.

The list of options above depends on your preferences. If you are unsure of what some of these do, you can just leave them checked.

On the next screen, Git is going to start asking a few customization options such as which editor you wish to use:

I have selected Visual Studio Code, but you can select whichever one you like. If you don't have an editor installed, then you can select Notepad.

For the next section, you will be asked if you would like Git to name the initial branch after `git init`. You can select Let Git Decide.

The next section will ask how you're using Git from the command-line.

It's best to choose the Recommended option: Git from the command-line and also from 3rd-party-software.

This next section asks about your choice in SSH client. The answer to this question is going to vary depending on your needs. If you are unsure, select Use Bundled OpenSSH.

For HTTPS transport backend, you can select Use the OpenSSL Library.

For line-ending conversions; if you see an option that fits you specifically, then choose your best option. If you are unsure, select Checkout Windows-style commit Unix-style line endings.

Next, select Use MinTTY.

Select Default (fast-forward or merge).

Select Git Credential Manager

Select Enable file system caching (unless you need symbolic links as well).

And FINALLY... select to enable any of the options above. Or you can leave them off.

After you've gone through that endless round of button smasher, press

Once installation has finished, we'll uncheck both options so that we can do the next step:

Once you press , move on to the next section.

❊ Setting Environment Variables

During the installation of Git, one of the questions asked was how you want Git to manage Environment variables.

We are going to now look at your environment variables and confirm Git did indeed add them.

Click and type Environment.

The option Edit the system environment variables should appear.

Once the dialog box appears on the Advanced tab, at the bottom, click

You should see two separate boxes labeled USER VARIABLES and SYSTEM VARIABLES.

In the System Variables box, locate the line which defines Path.

Highlight the Path line and then click

Read through the list of variables on each line and find one of the two mentioned here:

• C:\Program Files\Git\cmd

• C:\Program Files\Git\bin

The drive letter C: will be different for you if you told Git to install to a different drive.

If you see the above paths in your list of system environment variables, youc an close that window. However, if you do not, then you'll need to manually add them.

Select on the right hand side of the new dialog window.

You will notice a box open up at the very bottom of the window where you can type.

In the box, enter C:\Program Files\Git\cmd

Once you enter the path to Git's bin folder, you can click

You have now created a System Environment Variable which will become extremely useful.

To test if it works, open Command Prompt, Terminal, or Powershell in a new window. You should start in your user's home folder which is C:\Users\yourusername.

Once you have one of the above opened, type the command:

git --version

You should receive a response back which shows the current version of Git installed on your system.

❊ Generating GPG Keys

The next step is to generate actual GPG keys that you'll import onto your Yubikey and link to your Git software.

There are several ways to generate GPG keys. Select your desired method below:

Generate on Yubikey	Exporting the private key is prohibited. No other Yubikey can have that private key.
Generate from Software	Allows you to export your private key and import it into multiple Yubikeys.

Once you have completed one of the guides above and have your GPG keys successfully imported to your Yubikey, please continue below:

❊ Import GPG key to Github

Sign into your Github.com account.

Open the menu to the top right, and select Settings.

Then migrate to SSH and GPG Keys

For a direct link, login to Github and view the Github SSH / GPG Keys page.

In the middle of the page, locate the GPG Keys section:

On the right, select

Select a name / title for your GPG key.

For the Key field, it is requesting the GPG Public Key you generated when your keys for first made.

If you are unsure of how to obtain your GPG Public Key:

• Exporting Public Key with Kleopatra Application
• Exporting Public Key with GPG Command-line

Once you export your Public Key, locate the file:

Open this file in Notepad or some other text editor:

This large string of text is your PGP Public Key Block, which you need to copy, and then paste in the field box on Github.

Once you paste, click

You will be redirected back to the GPG page of Github:

As you can see in the screenshot, it's advised that you create a GPG key with the same email address associated to your Github. But this is OK for our demo.

Next, we will add our keys to Git Bash / Github Desktop.

❊ Git Bash / Github Desktop

We now need to tell Git bash and Github Desktop to use a key when signing commits. For reference, the commands you are going to enter below are all saved to the file:

C:\Users\yourusername\.gitconfig

Open Command Prompt, Terminal, or Powershell.

Execute the following command:

git config --global commit.gpgsign true

Next, we will specify our Key ID -- this is listed on the Github page:

git config --global user.signingkey BB6E1E562FFFD354

Finally, we need to tell Git where we have GPG installed. Your path may be different depending on your installation method:

git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"

❊ Testing Commits

Load up Github Desktop and make a change to one of your repos.

Once you are ready, commit your changes and within a few seconds you should get a dialog asking for your GPG PIN:

Once you enter your PIN, the process should continue as it normally does and allow you to push your changes.

Git bash should work the same way when executing the command to commit.

Since most software uses the Git library, you will also be asked for a PIN when you sign commits using Visual Studio Code's git plugin.

When you view your list of commits on the repo, you should see a Verified tag to the right of the commit.

If you do not use the same email address as your Github for your GPG key, you will see an Unverified tag.