FAQ
How to sign a release using GPG?
How to use GPG to verify signed release?
How to use DCO via the command line
A good example of a release signature can be found on the link. However, 5 and 6 items are described separately.
gpg --full-generate-key
During the execution of this command, you will need to enter additional data:
- Please select what kind of key you want: 1
- What keysize do you want? (3072): 4096
- Please specify how long the key should be valid: 0
- Key is valid for? (0): 0
- Is this correct? (y/N): y
- Real name: LPVS
- Email address: o.kopysov@samsung.com
- Comment: Keys for LPVS
In this case, the result will be the next
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: LPVS
Email address: o.kopysov@samsung.com
Comment: Keys for LPVS
You selected this USER-ID:
"LPVS (Keys for LPVS) <o.kopysov@samsung.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key BE13B1D440E813F0 marked as ultimately trusted
gpg: revocation certificate stored as '/home/virtual-pc/.gnupg/openpgp-revocs.d/D3C7C06AC34BDA9A41388E76BE13B1D440E813F0.rev'
public and secret key created and signed.
pub rsa4096 2021-10-15 [SC]
D3C7C06AC34BDA9A41388E76BE13B1D440E813F0
uid LPVS (Keys for LPVS) <o.kopysov@samsung.com>
sub rsa4096 2021-10-15 [E]
Set your GPG signing key in Git
git config --global user.signingkey <key-ID>
Create and sign the tag
git tag -s <tag>
gpg --armor --detach-sign lpvs-vx.x.x.tar.gz
If you have multiple keys, you must specify the key that will be used by adding the option
-u <key-ID>
gpg --output lpvs-public.pgp --armor --export o.kopysov@samsung.com
gpg --output lpvs-private.pgp --armor --export-secret-key o.kopysov@samsung.com
It should be noted that only the signature file (
lpvs-vx.x.x.tar.gz.asc
) and the public key (lpvs-public.pgp
) must be loaded as an artifact to release.
For this need to download the private key (lpvs-private.pgp
) by the next command:
gpg --import lpvs-private.pgp
To perform the verification, you need the following:
- signed file – for example
lpvs-vx.x.x.tar.gz
- signature file – accompanying file with “.asc” extension (Ex.
lpvs-vx.x.x.tar.gz.asc
) - public key – for example
lpvs-public.pgp
gpg --import <public key>
gpg --verify <signature file> <signed file>
If you have multiple keys, you must specify the key that will be used by adding the option
-u <key-ID>
The most popular way to do DCO is to sign off your username and email address in the git command line.
First, configure your local git install.
$ git config --global user.name "John Doe"
$ git config --global user.email johndoe@example.com
Obviously, you should use your own name and the email address associated with your GitHub user account.
Now, every time you commit new code in git, just add a signoff statement via the -s
flag.
$ git commit -s -m "This is my commit message"
That’s it. Git adds your sign-off message in the commit message, and you contribution (commit) is now DCO compliant.