目录
使用 GPG 为极狐GitLab git commit 签名
git commit 签名
git commit 签名是对 git 的 commit 信息进行一个验证,确保代码提交者是代码修改者本身,防止恶意提交,保护代码的安全。git 有自身的扩展,用来对 commit 进行签名,比如使用 gpg 即可完成 commit 签名。
GPG key 生成
执行 gpg --full-generate-key?即可生成一对 gpg key pair:
gpg --full-generate-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed Jun 28 21:45:26 2023 CST
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: xiaomage
Email address: devops008@sina.com
Comment: gpg signature git commit
You selected this USER-ID:
"xiaomage (gpg signature git commit) <devops008@sina.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key C9DE119E4E550644 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/9D6DA2C807767AD9ECB335AEC9DE119E4E550644.rev'
public and secret key created and signed.
pub rsa4096 2022-06-28 [SC] [expires: 2023-06-28]
9D6DA2C807767AD9ECB335AEC9DE119E4E550644
uid xiaomage (gpg signature git commit) <devops008@sina.com>
sub rsa4096 2022-06-28 [E] [expires: 2023-06-28]在交互的过程中填写必要的信息,即可完成 gpg key pair 的生成,然后用 gpg -k/-K 查看:
$ gpg -k
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-06-28
/root/.gnupg/pubring.kbx
------------------------
pub rsa4096 2022-06-28 [SC] [expires: 2023-06-28]
9D6DA2C807767AD9ECB335AEC9DE119E4E550644
uid [ultimate] xiaomage (gpg signature git commit) <devops008@sina.com>
sub rsa4096 2022-06-28 [E] [expires: 2023-06-28]
$ gpg -K
/root/.gnupg/pubring.kbx
------------------------
sec rsa4096 2022-06-28 [SC] [expires: 2023-06-28]
9D6DA2C807767AD9ECB335AEC9DE119E4E550644
uid [ultimate] xiaomage (gpg signature git commit) <devops008@sina.com>
ssb rsa4096 2022-06-28 [E] [expires: 2023-06-28]使用 GPG 为极狐GitLab git commit 签名
在极狐GitLab 中添加 GPG public key
使用 gpg 为极狐GitLab git commit 签名之前,需要将 gpg public key 导出。用如下命令即可导出 gpg public key:
$ gpg --armor --export 9D6DA2C807767AD9ECB335AEC9DE119E4E550644
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGK7BhcBEADmWE3Kp5KtevdVmj964EQT2pCB9rugw+kCqQcfnM0Ge5Jj63QG
FSaRvnt8ylq/DktnPPkx7zf/koL464SpiIJu3blWqf9OBOhIiRRRhzSo8znYT8z9
0ttkXZ6SLoMYtzaAgaBkk0IcZJMd8exdYBdqPQEZIiNl2RbQ58xwaOpCkircs4S2
YPm2crhtc7wG2POtkdAeO6YmoY69cQ21RAt2RJZujU4zd4kZsDEgnlXCirnQ+orm
Ek4a70+VUg54+LxUQxG8Ld0lyUuUDsKmvrgr9NFDdwngF4wyn445Su3Hlr0UwmSx
en98b76hbzUoXbjkdGOWw27qK2kqw34dNns04sGygJCH0MjxG4XMnO/cMo8Yhp86
Xcz1H7th0OzTJ3TMTc8APXktBWDaEffhu6n61IaZVNF+M22RDMcbq0Mqu1LnHYof
3v0WR5ME6CtgGWaFSuFNw31kHVS0LI3JYBIivQbvuOGHjxHrOIF/pRweoDcnAzaC
wFDGyJl5e01FhQSZOOdtP1ukmwOUcJvBQkH9H4fVOgV1Ys8TEJdOn3r8K806SD6K
xtKNEtaa4enIlk/Gp7VmvHBOIExZrd+e+sVkeOAvAWI9KavYlu+p5DuacJDHorNY
vycDjnw/olOuw2ttLfqQs52NZi+3cSc6BhhHJ5uFuGdgo5i6OcXa9LKdhQARAQAB
tDh4aWFvbWFnZSAoZ3BnIHNpZ25hdHVyZSBnaXQgY29tbWl0KSA8ZGV2b3BzMDA4
QHNpbmEuY29tPokCVAQTAQoAPhYhBJ1tosgHdnrZ7LM1rsneEZ5OVQZEBQJiuwYX
AhsDBQkB4TOABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEMneEZ5OVQZEEBAP
/3nPeF+sPKNRPRlfXDqkprIrvAybxRSxKT5a/sok6mGtELkI0lj/LXNqd9tY/4nV
3uRqUAEyq2jAg5YnXir5YcnF7ZTsKyq+J7y3FJ4+pvhvRX1syEXvrxj0GFklX9bS
fgnsziY5WrMrpZUx+uTTs2OOyF8cMfCU/aihuZgDwFpiik0Mot3pNxmWzojTzUlk
ttGvlDDwQCcRmYRBpj9B7i9G5AzKefu6QSZ9o1aBcdI6hIpFXcd+ED5TvVU+qlzc
bFXR0gE+GEA1N2zDP2qdeCTXwYvXrZVTUq/mCuK+WTMrrzVd6DoG5VUzfcSeXi4Z
muP2LLq+OGxRtBCoIYCqo+spAQNaAGyjVAN2YFl3H4zkswUG4Xeqr1wQ63m9VAJa
4qiGo63JZ41GLgknlimm+9Pe6Bp+qTA4lvRU2tXjV0HT9+JESB1hPYzDFoTHC6Qm
4KV3V3VjULr+oCDUnJV4oLPHpHhi5tVd1UwN769zTJRmDxRzZuUdsKmjI82iEXR5
8vD65ZPBJJulb0qynReK6NQXY+qDUQy6fGYcEljP+QIWzAmzzBrMqttHRbAV4KpT
sGAiD68iAuKzILVXvX8pcEz9Mf1fYmOMxDOBDyNSefmXf/g6d3gdifNLkRd6JHGW
GrIInbKN1f546N09IuZ/PU9C1dRpuaETEwXatGRMTSjfuQINBGK7BhcBEAC+Uowg
6aT+Vzd3kCFx27L6q3Xe0YFY8YPsq3lC1/QtV7nozbxye/gghAEVKK7vHtzYqNoz
eTjp4T8eQsXgr5f+eN3BjUqbcTBcVP2+/1lV9bZTIcuYkaK32Z8ld6w3mHwQvdwV
aw0qKK00O7ATEfCNdvKBQ6kZIUs0IQCmVBCbDPyI57m96huyHZ+s5zQ6L1PoE0j/
FoVpXz09QHwRlWzfGPaUyHtK4A+CSWq1usYCwhW1/Yjy5q8M0qd/InXvXRQvz+vH
XBI7oa4DoEAp2MsGYov3H9oqjQxqPBw6s347eocHJ2sdLII7TUqpoJ0ou/jhauPf
wyz3XzJZ8Kvvg8rYP7Bxjfo81k6JTE88F1UxHs02H+Ppuu2/0Ggv9vWJW1hcsh5L
Ccr3jnQGAkUWNl7I2/X8B3131/TICKdvEy4x1EXJgp/6KAJNo4lvUKjcMxzrf/SK
9ERiM0GADGPh6D09DBzNhnmKyAftLK+EySTdvtuFZYDr2XYip94+NSzZujkDmfDT
OmvrBeOYVJjvt1eU67U5FVfsT/MHQQp+AfmjDklfjCA/wgJU6uolNf9ARwl4FOTw
QfW+6E1qGX/ySLIn+1VhAiEKSqIblJr7OvevsY3QHpR+CTvCmRBYZoBciYINCrBO
dWu0BUH32XvuQ3xoTvHx0FTiAA9rmebiqop/UQARAQABiQI8BBgBCgAmFiEEnW2i
yAd2etnsszWuyd4Rnk5VBkQFAmK7BhcCGwwFCQHhM4AACgkQyd4Rnk5VBkQy8RAA
rjOckyOoh0KBcZ55UtliB850Lq31kVz07J2+bkWyCCS9WTOjyKwxUdm5tKEZBUpl
wvp+JurnysIKmRGjYl4tTAJLqtk8KLDo/pxZm36x/jCJ57S/d7+Mu3a85sieUZNq
ASI+vgTWscPLB0eJxke7DqwFb8qhiF3n8S7JGO0GDYd9tZj+X3EzSvXs6PPekt20
LPm8GO3EbLsuDdaHAePTIpPTlYKmwH3RZA40aWuQ8feWCHizL1lDUTra842sORBm
l88U6Cub+cpzHO6kCel1HC/zNA37x66rDUdeDB6LuzIpmO94ECSNydkgLn7vxsvv
pECtNsNTahoC6pBgGdtqzodwKDMCKHkG4UFp3mAfeEUntO8EXd87G3CB/ylS7g1A
ePaaMwTj0ZCkTaVSB6f8uqatShQlDsaSSETdEj2TRHJfj5qwos9ztww52qO0MVCh
5SllMZ2VjBYPjks9vSjufnc0glFFqUsZTVZa6RfJLBgcUUqjE5qemy9wkztXFOF+
mLb+Xi8Slj9f2h2yKPxsg8Nb5KcVlA+XG5+kLOaxxupXPibvf9IywBNaGrLnqHsN
W/t/yAcynuyheFPXQLUHeTmL2ODORkRrwjgP0fTYL4YPGoA15XLKHwk315ZxKPaK
hsVsC/wdkOeP2lYFqhC0VsisyUwxBVBGVH6+GQ6CPpg=
=zNIV
-----END PGP PUBLIC KEY BLOCK-----然后添加到极狐GitLab 实例中。通过右上角账号 --> preference --> GPG keys,找到添加 gpg
public key 的地方:
?
将上述导出的 public key 添加到右侧方框中:
?点击 Add?key之后,可以看到,添加成功:
?
配置 Git
配置 Git 之前,需要先获取 signingkey:
$ gpg --list-secret-keys --keyid-format LONG devops008@sina.com
sec rsa4096/C9DE119E4E550644 2022-06-28 [SC] [expires: 2023-06-28]
9D6DA2C807767AD9ECB335AEC9DE119E4E550644
uid [ultimate] xiaomage (gpg signature git commit) <devops008@sina.com>
ssb rsa4096/B3350C8C4DF966BF 2022-06-28 [E] [expires: 2023-06-28]sec 后面的 ID 就是 signingkey,也即 signingkey 是 C9DE119E4E550644。接着用 git config 命令配置 signingkey 即可:
$ git config --global user.signingkey C9DE119E4E550644进行 Git 提交
找一个 Demo repo 进行测试。以 Repo git@jihulab.com:keyboard-man/tekton-image.git 为例来验证。先 clone 代码到本地:
$ git clone git@jihulab.com:keyboard-man/tekton-image.git对其中的 main.go 文件做一个修改(比如修改 port,从 9999 到 9909),然后提交代码:
$ git add . && git commit -S -m "jihu gpg git singture commit"
[main 094d378] jihu gpg git singture commit
1 file changed, 1 insertion(+), 1 deletion(-)
$ git push
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 4 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 968 bytes | 968.00 KiB/s, done.
Total 3 (delta 2), reused 0 (delta 0)接着就可以查看签名信息了。
查看签名信息
在对应的仓库 commit 信息中,查看上述的提交:
?
可以看到在 commit 信息的右侧有一个 Verified 的标志,上面显示的内容有 This commit was signed with a verified signature and the committer email is verified to belong to the same user. 。这也证明,用上述生成的 gpg key 对极狐GitLab 的 git commit 进行了签名。