Move GPG signed commits docs to new location
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/36804
|
@ -12,7 +12,7 @@
|
|||
Add a GPG key
|
||||
%p.profile-settings-content
|
||||
Before you can add a GPG key you need to
|
||||
= link_to 'generate it.', help_page_path('user/project/gpg_signed_commits/index.md')
|
||||
= link_to 'generate it.', help_page_path('user/project/repository/gpg_signed_commits/index.md')
|
||||
= render 'form'
|
||||
%hr
|
||||
%h5
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
%span.monospace= signature.gpg_key_primary_keyid
|
||||
|
||||
|
||||
= link_to('Learn more about signing commits', help_page_path('user/project/gpg_signed_commits/index.md'), class: 'gpg-popover-help-link')
|
||||
= link_to('Learn more about signing commits', help_page_path('user/project/repository/gpg_signed_commits/index.md'), class: 'gpg-popover-help-link')
|
||||
|
||||
%button{ class: css_classes, data: { toggle: 'popover', html: 'true', placement: 'auto top', title: title, content: content } }
|
||||
= label
|
||||
|
|
|
@ -77,6 +77,8 @@ Manage your [repositories](user/project/repository/index.md) from the UI (user i
|
|||
- [Create a branch](user/project/repository/web_editor.md#create-a-new-branch)
|
||||
- [Protected branches](user/project/protected_branches.md#protected-branches)
|
||||
- [Delete merged branches](user/project/repository/branches/index.md#delete-merged-branches)
|
||||
- Commits
|
||||
- [Signing commits](user/project/repository/gpg_signed_commits/index.md): use GPG to sign your commits.
|
||||
|
||||
### Issues and Merge Requests (MRs)
|
||||
|
||||
|
@ -98,7 +100,6 @@ Manage your [repositories](user/project/repository/index.md) from the UI (user i
|
|||
- [Git](topics/git/index.md): Getting started with Git, branching strategies, Git LFS, advanced use.
|
||||
- [Git cheatsheet](https://gitlab.com/gitlab-com/marketing/raw/master/design/print/git-cheatsheet/print-pdf/git-cheatsheet.pdf): Download a PDF describing the most used Git operations.
|
||||
- [GitLab Flow](workflow/gitlab_flow.md): explore the best of Git with the GitLab Flow strategy.
|
||||
- [Signing commits](user/project/gpg_signed_commits/index.md): use GPG to sign your commits.
|
||||
|
||||
### Migrate and import your projects from other platforms
|
||||
|
||||
|
|
|
@ -1,245 +1 @@
|
|||
# Signing commits with GPG
|
||||
|
||||
> [Introduced][ce-9546] in GitLab 9.5.
|
||||
|
||||
GitLab can show whether a commit is verified or not when signed with a GPG key.
|
||||
All you need to do is upload the public GPG key in your profile settings.
|
||||
|
||||
GPG verified tags are not supported yet.
|
||||
|
||||
## Getting started with GPG
|
||||
|
||||
Here are a few guides to get you started with GPG:
|
||||
|
||||
- [Git Tools - Signing Your Work](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
|
||||
- [Managing OpenPGP Keys](https://riseup.net/en/security/message-security/openpgp/gpg-keys)
|
||||
- [OpenPGP Best Practices](https://riseup.net/en/security/message-security/openpgp/best-practices)
|
||||
- [Creating a new GPG key with subkeys](https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/) (advanced)
|
||||
|
||||
## How GitLab handles GPG
|
||||
|
||||
GitLab uses its own keyring to verify the GPG signature. It does not access any
|
||||
public key server.
|
||||
|
||||
In order to have a commit verified on GitLab the corresponding public key needs
|
||||
to be uploaded to GitLab. For a signature to be verified two prerequisites need
|
||||
to be met:
|
||||
|
||||
1. The public key needs to be added your GitLab account
|
||||
1. One of the emails in the GPG key matches your **primary** email
|
||||
|
||||
## Generating a GPG key
|
||||
|
||||
If you don't already have a GPG key, the following steps will help you get
|
||||
started:
|
||||
|
||||
1. [Install GPG](https://www.gnupg.org/download/index.html) for your operating system
|
||||
1. Generate the private/public key pair with the following command:
|
||||
|
||||
```sh
|
||||
gpg --full-gen-key
|
||||
```
|
||||
|
||||
This will spawn a series of questions.
|
||||
|
||||
1. The first question is which algorithm can be used. Select the kind you want
|
||||
or press <kbd>Enter</kbd> to choose the default (RSA and RSA):
|
||||
|
||||
```
|
||||
Please select what kind of key you want:
|
||||
(1) RSA and RSA (default)
|
||||
(2) DSA and Elgamal
|
||||
(3) DSA (sign only)
|
||||
(4) RSA (sign only)
|
||||
Your selection? 1
|
||||
```
|
||||
|
||||
1. The next question is key length. We recommend to choose the highest value
|
||||
which is `4096`:
|
||||
|
||||
```
|
||||
RSA keys may be between 1024 and 4096 bits long.
|
||||
What keysize do you want? (2048) 4096
|
||||
Requested keysize is 4096 bits
|
||||
```
|
||||
1. Next, you need to specify the validity period of your key. This is something
|
||||
subjective, and you can use the default value which is to never expire:
|
||||
|
||||
```
|
||||
Please specify how long the key should be valid.
|
||||
0 = key does not expire
|
||||
<n> = key expires in n days
|
||||
<n>w = key expires in n weeks
|
||||
<n>m = key expires in n months
|
||||
<n>y = key expires in n years
|
||||
Key is valid for? (0) 0
|
||||
Key does not expire at all
|
||||
```
|
||||
|
||||
1. Confirm that the answers you gave were correct by typing `y`:
|
||||
|
||||
```
|
||||
Is this correct? (y/N) y
|
||||
```
|
||||
|
||||
1. Enter you real name, the email address to be associated with this key (should
|
||||
match the primary email address you use in GitLab) and an optional comment
|
||||
(press <kbd>Enter</kbd> to skip):
|
||||
|
||||
```
|
||||
GnuPG needs to construct a user ID to identify your key.
|
||||
|
||||
Real name: Mr. Robot
|
||||
Email address: mr@robot.sh
|
||||
Comment:
|
||||
You selected this USER-ID:
|
||||
"Mr. Robot <mr@robot.sh>"
|
||||
|
||||
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
|
||||
```
|
||||
|
||||
1. Pick a strong password when asked and type it twice to confirm.
|
||||
1. Use the following command to list the private GPG key you just created:
|
||||
|
||||
```
|
||||
gpg --list-secret-keys mr@robot.sh
|
||||
```
|
||||
|
||||
Replace `mr@robot.sh` with the email address you entered above.
|
||||
|
||||
1. Copy the GPG key ID that starts with `sec`. In the following example, that's
|
||||
`0x30F2B65B9246B6CA`:
|
||||
|
||||
```
|
||||
sec rsa4096/0x30F2B65B9246B6CA 2017-08-18 [SC]
|
||||
D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA
|
||||
uid [ultimate] Mr. Robot <mr@robot.sh>
|
||||
ssb rsa4096/0xB7ABC0813E4028C0 2017-08-18 [E]
|
||||
```
|
||||
|
||||
1. Export the public key of that ID (replace your key ID from the previous step):
|
||||
|
||||
```
|
||||
gpg --armor --export 0x30F2B65B9246B6CA
|
||||
```
|
||||
|
||||
1. Finally, copy the public key and [add it in your profile settings](#adding-a-gpg-key-to-your-account)
|
||||
|
||||
## Adding a GPG key to your account
|
||||
|
||||
>**Note:**
|
||||
Once you add a key, you cannot edit it, only remove it. In case the paste
|
||||
didn't work, you'll have to remove the offending key and re-add it.
|
||||
|
||||
You can add a GPG key in your profile's settings:
|
||||
|
||||
1. On the upper right corner, click on your avatar and go to your **Settings**.
|
||||
|
||||
![Settings dropdown](../../profile/img/profile_settings_dropdown.png)
|
||||
|
||||
1. Navigate to the **GPG keys** tab and paste your _public_ key in the 'Key'
|
||||
box.
|
||||
|
||||
![Paste GPG public key](img/profile_settings_gpg_keys_paste_pub.png)
|
||||
|
||||
1. Finally, click on **Add key** to add it to GitLab. You will be able to see
|
||||
its fingerprint, the corresponding email address and creation date.
|
||||
|
||||
![GPG key single page](img/profile_settings_gpg_keys_single_key.png)
|
||||
|
||||
## Associating your GPG key with Git
|
||||
|
||||
After you have [created your GPG key](#generating-a-gpg-key) and [added it to
|
||||
your account](#adding-a-gpg-key-to-your-account), it's time to tell Git which
|
||||
key to use.
|
||||
|
||||
1. Use the following command to list the private GPG key you just created:
|
||||
|
||||
```
|
||||
gpg --list-secret-keys mr@robot.sh
|
||||
```
|
||||
|
||||
Replace `mr@robot.sh` with the email address you entered above.
|
||||
|
||||
1. Copy the GPG key ID that starts with `sec`. In the following example, that's
|
||||
`0x30F2B65B9246B6CA`:
|
||||
|
||||
```
|
||||
sec rsa4096/0x30F2B65B9246B6CA 2017-08-18 [SC]
|
||||
D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA
|
||||
uid [ultimate] Mr. Robot <mr@robot.sh>
|
||||
ssb rsa4096/0xB7ABC0813E4028C0 2017-08-18 [E]
|
||||
```
|
||||
|
||||
1. Tell Git to use that key to sign the commits:
|
||||
|
||||
```
|
||||
git config --global user.signingkey 0x30F2B65B9246B6CA
|
||||
```
|
||||
|
||||
Replace `0x30F2B65B9246B6CA` with your GPG key ID.
|
||||
|
||||
## Signing commits
|
||||
|
||||
After you have [created your GPG key](#generating-a-gpg-key) and [added it to
|
||||
your account](#adding-a-gpg-key-to-your-account), you can start signing your
|
||||
commits:
|
||||
|
||||
1. Commit like you used to, the only difference is the addition of the `-S` flag:
|
||||
|
||||
```
|
||||
git commit -S -m "My commit msg"
|
||||
```
|
||||
|
||||
1. Enter the passphrase of your GPG key when asked.
|
||||
1. Push to GitLab and check that your commits [are verified](#verifying-commits).
|
||||
|
||||
If you don't want to type the `-S` flag every time you commit, you can tell Git
|
||||
to sign your commits automatically:
|
||||
|
||||
```
|
||||
git config --global commit.gpgsign true
|
||||
```
|
||||
|
||||
## Verifying commits
|
||||
|
||||
1. Within a project or [merge request](../merge_requests/index.md), navigate to
|
||||
the **Commits** tab. Signed commits will show a badge containing either
|
||||
"Verified" or "Unverified", depending on the verification status of the GPG
|
||||
signature.
|
||||
|
||||
![Signed and unsigned commits](img/project_signed_and_unsigned_commits.png)
|
||||
|
||||
1. By clicking on the GPG badge, details of the signature are displayed.
|
||||
|
||||
![Signed commit with verified signature](img/project_signed_commit_verified_signature.png)
|
||||
|
||||
![Signed commit with verified signature](img/project_signed_commit_unverified_signature.png)
|
||||
|
||||
## Revoking a GPG key
|
||||
|
||||
Revoking a key **unverifies** already signed commits. Commits that were
|
||||
verified by using this key will change to an unverified state. Future commits
|
||||
will also stay unverified once you revoke this key. This action should be used
|
||||
in case your key has been compromised.
|
||||
|
||||
To revoke a GPG key:
|
||||
|
||||
1. On the upper right corner, click on your avatar and go to your **Settings**.
|
||||
1. Navigate to the **GPG keys** tab.
|
||||
1. Click on **Revoke** besides the GPG key you want to delete.
|
||||
|
||||
## Removing a GPG key
|
||||
|
||||
Removing a key **does not unverify** already signed commits. Commits that were
|
||||
verified by using this key will stay verified. Only unpushed commits will stay
|
||||
unverified once you remove this key. To unverify already signed commits, you need
|
||||
to [revoke the associated GPG key](#revoking-a-gpg-key) from your account.
|
||||
|
||||
To remove a GPG key from your account:
|
||||
|
||||
1. On the upper right corner, click on your avatar and go to your **Settings**.
|
||||
1. Navigate to the **GPG keys** tab.
|
||||
1. Click on the trash icon besides the GPG key you want to delete.
|
||||
|
||||
[ce-9546]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/9546
|
||||
This document was moved to [another location](../repository/gpg_signed_commits/index.md).
|
||||
|
|
Before Width: | Height: | Size: 24 KiB After Width: | Height: | Size: 24 KiB |
Before Width: | Height: | Size: 4.3 KiB After Width: | Height: | Size: 4.3 KiB |
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 40 KiB |
Before Width: | Height: | Size: 9.3 KiB After Width: | Height: | Size: 9.3 KiB |
Before Width: | Height: | Size: 14 KiB After Width: | Height: | Size: 14 KiB |
|
@ -0,0 +1,245 @@
|
|||
# Signing commits with GPG
|
||||
|
||||
> [Introduced][ce-9546] in GitLab 9.5.
|
||||
|
||||
GitLab can show whether a commit is verified or not when signed with a GPG key.
|
||||
All you need to do is upload the public GPG key in your profile settings.
|
||||
|
||||
GPG verified tags are not supported yet.
|
||||
|
||||
## Getting started with GPG
|
||||
|
||||
Here are a few guides to get you started with GPG:
|
||||
|
||||
- [Git Tools - Signing Your Work](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
|
||||
- [Managing OpenPGP Keys](https://riseup.net/en/security/message-security/openpgp/gpg-keys)
|
||||
- [OpenPGP Best Practices](https://riseup.net/en/security/message-security/openpgp/best-practices)
|
||||
- [Creating a new GPG key with subkeys](https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/) (advanced)
|
||||
|
||||
## How GitLab handles GPG
|
||||
|
||||
GitLab uses its own keyring to verify the GPG signature. It does not access any
|
||||
public key server.
|
||||
|
||||
In order to have a commit verified on GitLab the corresponding public key needs
|
||||
to be uploaded to GitLab. For a signature to be verified two prerequisites need
|
||||
to be met:
|
||||
|
||||
1. The public key needs to be added your GitLab account
|
||||
1. One of the emails in the GPG key matches your **primary** email
|
||||
|
||||
## Generating a GPG key
|
||||
|
||||
If you don't already have a GPG key, the following steps will help you get
|
||||
started:
|
||||
|
||||
1. [Install GPG](https://www.gnupg.org/download/index.html) for your operating system
|
||||
1. Generate the private/public key pair with the following command:
|
||||
|
||||
```sh
|
||||
gpg --full-gen-key
|
||||
```
|
||||
|
||||
This will spawn a series of questions.
|
||||
|
||||
1. The first question is which algorithm can be used. Select the kind you want
|
||||
or press <kbd>Enter</kbd> to choose the default (RSA and RSA):
|
||||
|
||||
```
|
||||
Please select what kind of key you want:
|
||||
(1) RSA and RSA (default)
|
||||
(2) DSA and Elgamal
|
||||
(3) DSA (sign only)
|
||||
(4) RSA (sign only)
|
||||
Your selection? 1
|
||||
```
|
||||
|
||||
1. The next question is key length. We recommend to choose the highest value
|
||||
which is `4096`:
|
||||
|
||||
```
|
||||
RSA keys may be between 1024 and 4096 bits long.
|
||||
What keysize do you want? (2048) 4096
|
||||
Requested keysize is 4096 bits
|
||||
```
|
||||
1. Next, you need to specify the validity period of your key. This is something
|
||||
subjective, and you can use the default value which is to never expire:
|
||||
|
||||
```
|
||||
Please specify how long the key should be valid.
|
||||
0 = key does not expire
|
||||
<n> = key expires in n days
|
||||
<n>w = key expires in n weeks
|
||||
<n>m = key expires in n months
|
||||
<n>y = key expires in n years
|
||||
Key is valid for? (0) 0
|
||||
Key does not expire at all
|
||||
```
|
||||
|
||||
1. Confirm that the answers you gave were correct by typing `y`:
|
||||
|
||||
```
|
||||
Is this correct? (y/N) y
|
||||
```
|
||||
|
||||
1. Enter you real name, the email address to be associated with this key (should
|
||||
match the primary email address you use in GitLab) and an optional comment
|
||||
(press <kbd>Enter</kbd> to skip):
|
||||
|
||||
```
|
||||
GnuPG needs to construct a user ID to identify your key.
|
||||
|
||||
Real name: Mr. Robot
|
||||
Email address: mr@robot.sh
|
||||
Comment:
|
||||
You selected this USER-ID:
|
||||
"Mr. Robot <mr@robot.sh>"
|
||||
|
||||
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
|
||||
```
|
||||
|
||||
1. Pick a strong password when asked and type it twice to confirm.
|
||||
1. Use the following command to list the private GPG key you just created:
|
||||
|
||||
```
|
||||
gpg --list-secret-keys mr@robot.sh
|
||||
```
|
||||
|
||||
Replace `mr@robot.sh` with the email address you entered above.
|
||||
|
||||
1. Copy the GPG key ID that starts with `sec`. In the following example, that's
|
||||
`0x30F2B65B9246B6CA`:
|
||||
|
||||
```
|
||||
sec rsa4096/0x30F2B65B9246B6CA 2017-08-18 [SC]
|
||||
D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA
|
||||
uid [ultimate] Mr. Robot <mr@robot.sh>
|
||||
ssb rsa4096/0xB7ABC0813E4028C0 2017-08-18 [E]
|
||||
```
|
||||
|
||||
1. Export the public key of that ID (replace your key ID from the previous step):
|
||||
|
||||
```
|
||||
gpg --armor --export 0x30F2B65B9246B6CA
|
||||
```
|
||||
|
||||
1. Finally, copy the public key and [add it in your profile settings](#adding-a-gpg-key-to-your-account)
|
||||
|
||||
## Adding a GPG key to your account
|
||||
|
||||
>**Note:**
|
||||
Once you add a key, you cannot edit it, only remove it. In case the paste
|
||||
didn't work, you'll have to remove the offending key and re-add it.
|
||||
|
||||
You can add a GPG key in your profile's settings:
|
||||
|
||||
1. On the upper right corner, click on your avatar and go to your **Settings**.
|
||||
|
||||
![Settings dropdown](../../../profile/img/profile_settings_dropdown.png)
|
||||
|
||||
1. Navigate to the **GPG keys** tab and paste your _public_ key in the 'Key'
|
||||
box.
|
||||
|
||||
![Paste GPG public key](img/profile_settings_gpg_keys_paste_pub.png)
|
||||
|
||||
1. Finally, click on **Add key** to add it to GitLab. You will be able to see
|
||||
its fingerprint, the corresponding email address and creation date.
|
||||
|
||||
![GPG key single page](img/profile_settings_gpg_keys_single_key.png)
|
||||
|
||||
## Associating your GPG key with Git
|
||||
|
||||
After you have [created your GPG key](#generating-a-gpg-key) and [added it to
|
||||
your account](#adding-a-gpg-key-to-your-account), it's time to tell Git which
|
||||
key to use.
|
||||
|
||||
1. Use the following command to list the private GPG key you just created:
|
||||
|
||||
```
|
||||
gpg --list-secret-keys mr@robot.sh
|
||||
```
|
||||
|
||||
Replace `mr@robot.sh` with the email address you entered above.
|
||||
|
||||
1. Copy the GPG key ID that starts with `sec`. In the following example, that's
|
||||
`0x30F2B65B9246B6CA`:
|
||||
|
||||
```
|
||||
sec rsa4096/0x30F2B65B9246B6CA 2017-08-18 [SC]
|
||||
D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA
|
||||
uid [ultimate] Mr. Robot <mr@robot.sh>
|
||||
ssb rsa4096/0xB7ABC0813E4028C0 2017-08-18 [E]
|
||||
```
|
||||
|
||||
1. Tell Git to use that key to sign the commits:
|
||||
|
||||
```
|
||||
git config --global user.signingkey 0x30F2B65B9246B6CA
|
||||
```
|
||||
|
||||
Replace `0x30F2B65B9246B6CA` with your GPG key ID.
|
||||
|
||||
## Signing commits
|
||||
|
||||
After you have [created your GPG key](#generating-a-gpg-key) and [added it to
|
||||
your account](#adding-a-gpg-key-to-your-account), you can start signing your
|
||||
commits:
|
||||
|
||||
1. Commit like you used to, the only difference is the addition of the `-S` flag:
|
||||
|
||||
```
|
||||
git commit -S -m "My commit msg"
|
||||
```
|
||||
|
||||
1. Enter the passphrase of your GPG key when asked.
|
||||
1. Push to GitLab and check that your commits [are verified](#verifying-commits).
|
||||
|
||||
If you don't want to type the `-S` flag every time you commit, you can tell Git
|
||||
to sign your commits automatically:
|
||||
|
||||
```
|
||||
git config --global commit.gpgsign true
|
||||
```
|
||||
|
||||
## Verifying commits
|
||||
|
||||
1. Within a project or [merge request](../../merge_requests/index.md), navigate to
|
||||
the **Commits** tab. Signed commits will show a badge containing either
|
||||
"Verified" or "Unverified", depending on the verification status of the GPG
|
||||
signature.
|
||||
|
||||
![Signed and unsigned commits](img/project_signed_and_unsigned_commits.png)
|
||||
|
||||
1. By clicking on the GPG badge, details of the signature are displayed.
|
||||
|
||||
![Signed commit with verified signature](img/project_signed_commit_verified_signature.png)
|
||||
|
||||
![Signed commit with verified signature](img/project_signed_commit_unverified_signature.png)
|
||||
|
||||
## Revoking a GPG key
|
||||
|
||||
Revoking a key **unverifies** already signed commits. Commits that were
|
||||
verified by using this key will change to an unverified state. Future commits
|
||||
will also stay unverified once you revoke this key. This action should be used
|
||||
in case your key has been compromised.
|
||||
|
||||
To revoke a GPG key:
|
||||
|
||||
1. On the upper right corner, click on your avatar and go to your **Settings**.
|
||||
1. Navigate to the **GPG keys** tab.
|
||||
1. Click on **Revoke** besides the GPG key you want to delete.
|
||||
|
||||
## Removing a GPG key
|
||||
|
||||
Removing a key **does not unverify** already signed commits. Commits that were
|
||||
verified by using this key will stay verified. Only unpushed commits will stay
|
||||
unverified once you remove this key. To unverify already signed commits, you need
|
||||
to [revoke the associated GPG key](#revoking-a-gpg-key) from your account.
|
||||
|
||||
To remove a GPG key from your account:
|
||||
|
||||
1. On the upper right corner, click on your avatar and go to your **Settings**.
|
||||
1. Navigate to the **GPG keys** tab.
|
||||
1. Click on the trash icon besides the GPG key you want to delete.
|
||||
|
||||
[ce-9546]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/9546
|
|
@ -22,7 +22,7 @@ you to [connect with GitLab via SSH](../../../ssh/README.md).
|
|||
|
||||
## Files
|
||||
|
||||
## Create and edit files
|
||||
### Create and edit files
|
||||
|
||||
Host your codebase in GitLab repositories by pushing your files to GitLab.
|
||||
You can either use the user interface (UI), or connect your local computer
|
||||
|
@ -111,6 +111,8 @@ right from the UI.
|
|||
- **Revert a commit:**
|
||||
Easily [revert a commit](../merge_requests/revert_changes.md#reverting-a-commit)
|
||||
from the UI to a selected branch.
|
||||
- **Sign a commit:**
|
||||
Use GPG to [sign your commits](gpg_signed_commits/index.md).
|
||||
|
||||
## Repository size
|
||||
|
||||
|
|