There's a lot to flesh out here. @shawndavenport was going to look into drafting up what is typically required. For example, we might even consider having a commit signing "agent" be a separate (but bundled) Electron app that any Git tool could leverage. That sounds cool, but I have no idea if it's actually feasible. :smile:

I know basically nothing about what's involved here. Does the agent need to provide UI?

I know basically nothing about what's involved here. Does the agent need to provide UI?

Maybe? I would assume if we want to use it across git clients (so the git command line could use it), that it would. I was thinking it might be somewhat like our Welcome Wizard but for commit signing and would help with key management.

This is still pie in the sky thinking though. My hope is if we can keep it somewhat decoupled from Desktop, your team could ignore it for now and maybe we can get the security team to help build it. :smile: :lock:

xref https://github.com/github/windows-ecosystem/issues/43

Any news on this? Essential functionality and has been open for over a year.

Any news on this? Essential functionality and has been open for over a year.

Hi @foss-, this is something that we're interested in but it's not part of our immediate roadmap. The best way to stay up to date would be to subscribe to this issue. I've heard whispers about it being possible to set up even though we currently lack first class support for it in the app (@shiftkey?) so if someone has got it working please feel free to share your workarounds here.

Bringing this over from the duplicate:

It would be even better if the app integrated with Keybase so it could automatically obtain the GPG key.

We've fixed some reported issues about our commit step failing when a user has signing enabled and configured already (see #1391 and #1578 for example) and if you're seeing errors like those in the app we'd like to fix it, but @niik is right in that we don't have inbuilt support for configuring commit signing in the app.

1974 indicates that we don't prompt for the user to enter the passphrase associated with the GPG key, we may need to support this flow for users who don't want to use gpg-agent to provide this transparently.

@shiftkey thanks for the info shared! Keep up the good work!

The problem of the impossibility of passing the passphrase exists on all OS? You would at least write, how works gpg-agent (in the package did not find) :scream_cat:

$ type gpg-agent
bash: type: gpg-agent: not found

In Google additionally there is a solution echo "no-tty" >> ~/.gnupg/gpg.conf
& git config --global gpg.program $(which gpg). But in Windows it does not work.
To resolve the error must:

sed -i '/^no-tty/d' ~/.gnupg/gpg.conf
git config --global --unset gpg.program

The signing of commits through the Github Desktop today unimplemented. Use bash.

Even though I thumbed up and subbed, I would like to voice my interest in this being placed on the near/intermediate future roadmap assuming the roadmap can be influenced by user feedback like mine.

Agreed, this is extremely important. I love Github Desktop but it's inconceivable not to have this security feature baked in.

Agree with that too. :+1:

To clear up this thread: it's not already implemented and not planned to, either - other than that, the creators would love to have it?

I'm confused as to why it's not planned then D:

We're a small team and so we have to make hard decisions about what to prioritize. GPG signing hasn't been prioritized yet.

GPG signing hasn't been prioritized yet.

However, if you know JS/TypeScript and are interested in adding support, feel free to open some PRs!

@j-f1 Any pointers where to start? It seems like the issue is that it's not picking up the PATH properly or otherwise can't use the same Git settings as command line git?

@wilg I'm not aware of any recent issues with PATH not being set correctly, which occurred when some people wanted us to integrate with their existing setup.

I have called out above that we don't currently support users entering a passphrase when committing. https://github.com/desktop/desktop/issues/78#issuecomment-318626389 We disable prompts when spawning Git to ensure it finishes, so I'm not sure how we're going to manage that scenario.

If you're encountering problems around us _interfering_ with commit signing and your existing setup, please open a new issue with details.

Yea last I checked commit signing worked (after much configuration) via the command line but would fail when a commit was made through the app. I'll try to rustle up some details.

FWIW, I know our friends on the Atom team have done some work to support GPG signing, so once we're ready to work on this, it'd be worth while to look at what they did: https://github.com/atom/github

GPG signing works fine with GitHub in Atom, seems like they use a wrapper for the command line.

I have GPG in my path and GitHub launches the GUI just fine but an integrated solution would be good. 🎇

tl;dr found a way to sign commits using GitHub Desktop

Maybe this link helps some of you: https://aaronparecki.com/2016/07/29/10/git-tower
The post is about Tower but works with GitHub Desktop as well.

90% matches what @bopoh13 already commented: https://github.com/desktop/desktop/issues/78#issuecomment-323101774
The missing piece for me was git config --global commit.gpgsign true

So on Mac OS X you could do:

echo no-tty >> ~/.gnupg/gpg.conf
git config --global gpg.program $(which gpg)
git config --global commit.gpgsign true

On Windows it would probably be something like this (untested):

sed -i '/^no-tty/d' ~/.gnupg/gpg.conf
git config --global --unset gpg.program
git config --global commit.gpgsign true

I found this guide to set up GPG signing for Windows to be helpful.

The problem I ran into is entering the passphrase. If I create a commit via the command line, then create a commit with GitHub Desktop, it works great! That's because gpg-agent caches the passphrase for a period of time.

I'm not sure how we'd hook into that and show the passphrase prompt on behalf of the user.

One thing we should consider is perhaps splitting this into a few issues. PGP support could entail multiple steps:

1. Showing that a commit is signed (perhaps showing the signature via tooltip)
2. Showing that a commit is verified
3. Making it possible to sign commits.
4. Making it possible to fully setup commit signing (this is a hard one. I think of this as on-boarding a person into commit signing).

We could consider step 1 and maybe 2 earlier and do 3 later and 4 someday.

Anything new?

I'm not sure how we'd hook into that and show the passphrase prompt on behalf of the user.

Turns out this does work with Desktop. I had one failure but not sure why. But now, if I create a commit with the Desktop app, I get the GPG prompt and everything works.

In part, it _should_ just work because under the hood, Desktop is just shelling out to git.exe.

Unfortunately to be able to get github desktop to work with GPG signing you have to disable passphrases. However isn't your computer locked anyways?

Regardless here is a gist on how to get it setup:
https://gist.github.com/Shinrai/63eb85c7e89715a5d2dc9bee0301a8ac

@Shinrai that's not completely true. With git config commit.gpgsign true or git config --global commit.gpgsign true on Windows with Gpg4win (not sure about Linux and macOS) after clicking "Commit" button in Desktop there's a Gpg4win prompt asking for passphrase. Then, if you enter correct passphrase, the commit is signed with your key.

@krzysdz
I might be mistaken but I installed gpg4win and was never prompted for a password when I committed in the github desktop. If I recall it kept coming back with some error. Which was the whole reason I made that gist. So I could reference it later for my other computers.

Dropping in feedback from https://github.com/desktop/desktop/issues/2339 to help consolidate our future-proposal labels. It was mentioned there that showing a verified badge next to commits that have signed using GPG would be helpful.

I was interested in this functionality. Perhaps on a commit view, you could make the hash light green?

@Elderry, that seems to be irrelevant to Git's GPG functionality. I have it working just fine with GitHub Desktop on macOS Mojave.

@haykam821 You're right, I confirmed it's another problem, going to delete my comment to avoid confusing here.

In theory, the idea behind Desktop is to make the experience as easy as possible without the worries of the console, although it is optional.
So as far as GPG signatures go, and making that process easy and a part of Desktop:

• [ ] Check if GPG is installed, if not add GPG (or ask the user to install it)
• [ ] Check if GPG key exists, otherwise ask them if they want to generate one.
• [ ] Grabbing the GPG key and uploading it to their account, or asking them to (with link to GPG upload page or instruction page).
• [ ] Visual feedback for Verified commits.
• [ ] Message at the top, or exclamation icon in a bottom corner which will warn them about a lack of a GPG key.
• [ ] Verify GPG key and tell Git about their key.

One issue you probably thought about when reading these is that there's a lot of steps for an application that's supposed to simplify the user experience. Which is why we should simply give a visual key that they aren't using verified commits, and tell them to go to Options>[Git|Advanced|GPG]. Honestly I would say that since this is Git-based, it should be under Git in a section under "Verified Commits".

Can't wait to use this feature! :coffee:

I've been using this successfully with my yubikey on Ubuntu 18. The yubikey has a pin.

However, today, it has decided not to work: "Commit failed - exit code 128 received, with output:" error: gpg failed to sign the data fatal: failed to write commit object'
1.5.1-linux2 (Linux 4.15.0-43-generic)

Oddly, the log file isn't showing the required sign switch:
2019-01-29T00:33:22.871Z - error: [ui] git commit -F - exited with an unexpected code: 128.
error: gpg failed to sign the data

It works fine from the CLI.

Hi Github users!

You can now signed your commits on Github using at least Git 2.18.0 and Github Desktop 1.6.1.

I just created a Gist for this solution:
https://gist.github.com/xavierfoucrier/c156027fcc6ae23bcee1204199f177da

That's all folks! :tada:

The page https://help.github.com/en/articles/signing-commits still says

Note: GitHub Desktop does not support commit signing.

Which is wrong if one does what @xavierfoucrier nicely lined out! 👍

Hi @ewerybody,

This issue mainly highlight the fact that Github Desktop does not support commit signing because there is no way in the software to set GPG signing "easily": that's what people here would like to see implemented I guess.

As Github Desktop are using GIT, my solution is just to manually setup GIT to sign commits: for sure, it would be more clean to have a dedicated setting in the application to properly enable/disable/configure commit signing.

Hope to see this feature implemented in a near future. :wink:

Hmm sure. 🤔 But as soon as you have it set up you don't need to care about it much more. No commandline fiddling or anything. It should rather read:

Note: GitHub Desktop does not support commit signing.
unless you set it up manually.

or

Note: GitHub Desktop does not assist you setting up commit signing.
But you can set it up yourself and GitHub Desktop will work with it.

no?

I agree with both sentences :wink:

PS: don't forget to build Crysis 4 :fist_raised:

any plan?

Hi @tierninho and @outofambit,

Is there is any plans for this feature request?

Hi @nicotravassos, thanks for the message. Since we work in the open, if we have upcoming plans in the near future to work on something, we update the issue with that information so you'll know when it happens. This is something we're interested in doing but haven't had bandwidth for. We encourage anyone who wants this feature (or any issue) to emoji react on the issue. While we don't prioritize based on reactions, we do use them as an input into our prioritization process and it can be a useful signal for what things are most important to our users who watch the repo. Thanks again.

just to add to this, can support for OpenPGP smart cards be included? for example the yubikey.

I currently use this with the command line just fine

😐

In theory, the idea behind Desktop is to make the experience as easy as possible without the worries of the console, although it is optional.
So as far as GPG signatures go, and making that process easy and a part of Desktop:

• [ ] Add GPG (or ask the user to install it).
• [ ] Check if GPG key exists, otherwise ask them if they want to generate one.
• [ ] Grabbing the GPG key and uploading it to their account, or asking them to (with link to GPG upload page or instruction page).
• [ ] Visual feedback for Verified commits.
• [ ] Message at the top, or exclamation icon in a bottom corner which will warn them about a lack of a GPG key.
• [ ] Verify GPG key and tell Git about their key.

One issue you probably thought about when reading these is that there's a lot of steps for an application that's supposed to simplify the user experience. Which is why we should simply give a visual key that they aren't using verified commits, and tell them to go to Options>[Git|Advanced|GPG]. Honestly I would say that since this is Git-based, it should be under Git in a section under "Verified Commits".

Let the record show I don't remember saying this, nor can I guarantee it's accurate since I really don't remember anything about GPG Signing 😂 can someone fact check this?

@TheGrimSilence might update first item to:

• [ ] Check if GPG is installed, if not add GPG (or ask the user to install it)

@jeffpaul very true, I recently installed gpg so obviously I'd make sure it's installed rather than offering it. Rookie mistake 😂

I'm currently using a conjunction of both CLI (git) and Github Desktop and it's kinda goofy, but I'm going to keep doing it because I like having "verified commits" (Github Desktop gives me that), but I also like utilizing SSH and it's authentication passphrase I have with it. Also this issue is somewhat related to this issue: https://github.com/desktop/desktop/issues/3457