Securing git commits on Windows 10 and WSL2

lock_your_code

Git-based platforms such as Github and Gitlab are probably the most common code management tools out there. Therefore, securing your access to whatever codebase you work on is of dire importance. 2-step verification sign-ins are a step in the right direction, but there is more. In this article, we will dig a little deeper as we learn how to set up gpg keys and do proper commit verification.

All that while working with an Ubuntu-based WSL2 system in Windows 10, as there are some caveats to this specific setup.

Signed Commits

Git has a very simple way of identifying people. You set your name and email with git config and you are good to go, but certainly there are projects where you need better protection around this identification process, hence signed commits. The security keys we will set here will validate that whoever commits a change is indeed who they say they are or, at least, that the commits were added from the same verified system.

Besides, who doesn´t love verified green marks around your commit history?

verified tags example

Generating GPG keys

You start, from your Linux shell terminal, by creating a pair of public/private gpg keys with:

gpg --full-gen-key

You´re going to get prompted with a few questions about the type and size of key you want and if you want it to expire after some time. For this article, the default values for an RSA key with a 3072 bytes size and no expiration time will be enough. So you can just hit enter for those default values and confirm by typing y.

After that, you will be enquired about your credentials, so you can type your name and e-mail, and leave the “comment” field blank. Confirm with O, then input a password. Keep in mind the email and password entered here are going to be the ones used for validating your commits.

This entire process is shown in the image below:

generating gpg keys

Exporting your public key

Now you need to get a hold of your public key, so use the code below to extract your signing key:

gpg --list-secret-keys --keyid-format LONG <email-you-just-used> | grep sec

You should see something like this:

signing key example

And your signing key is the string of characters after your key size, in this case, E5F83F98BEE81051. Save that!

Now use your key to export the public key related to it with:

gpg --armor --export <signing-key>

Your public key should show up like this:

public key example

That entire block is supposed to be copied into your gpg keys section over in your git platform. The image below has an example of where that is on Gitlab:

gitlab gpg example

Setting up git config

Now you need to make sure your git config is set to sign your commits:

git config user.email <your-email>
git config user.signingkey <your-signing-key>

Here are a couple of good config options to have as well:

  • requiring a user config to be present: git config --global user.useConfigOnly true
  • sign commits by default: git config commit.gpgsign true

By the way, this Post shows a great way of managing keys for multiple projects at once.

Setting up WSL2

We would be done after all this if we were using a native Linux system, but WSL2 still misses something as it doesn´t prompt you for your password whenever you create a commit as we would expect for a sudo command or something similar, and just errors out. So let´s go ahead and set up a proper pin-entry piece of software that will integrate with Windows and allow for a password input with GPG4Win.

If you want to, during the installation process, you can unmark some additional components like Kleopatra, as the only requirement is the GnuPG core. Just going with defaults is perfectly fine too.

You´ll need to have some libraries installed to keep going from here:

sudo apt-get install gpg gnupg gpg-agent

Integrate GPG4Win as the program to input pins by editing the file ~/.gnupg/gpg-agent.conf. You can create it if it does not exist. Inside the file, put the correct path to where GPG4Win was actually installed. This should be the default one:

pinentry-program "/mnt/c/Program Files (x86)/GnuPG/bin/pinentry-basic.exe"

Within the same file, additionally, you can setup a cache time (in seconds) so you don´t have to type your password every time:

default-cache-ttl 34560000
max-cache-ttl 34560000
pinentry-program "/mnt/c/Program Files (x86)/GnuPG/bin/pinentry-basic.exe"

Here we just put a long time, and since restarting your machine resets the cache timer, it doesn’t really matter.

After that, you need to restart the gpg-agent and should be good to go:

gpgconf --kill gpg-agent

Remember to restart your terminal instance before trying it out, but if it is still not working, try restarting your machine as it might give GPG4Win a chance to better get in sync with WSL2.

Verifying signed commits

You can use the git command below to check for the last commit signatures:

git log --show-signature -1

That´s All Folks!!!

We are hiring new talents. Do you want to work with us? become@codeminer42.com