I have recently set up GPG to sign my Git commits so now I have a signingKey field in my gitconfig. I'm not very familiar with details of GPG – is this signingKey a sensitive piece of information that I should keep private or does it fall into the public part of gpg? I have my gitconfig in a public repo where I keep my dotfiles and I was wondering if it's ok to have that field visible.
With conditional includes in Git 2.13, it is now possible to have multiple user/email coexist on one machine with little work. user. gitconfig has my personal name and email.
Once you have a private key to sign with, you can configure Git to use it for signing things by setting the user. signingkey config setting. $ git config --global user.
If you're using a GPG key that matches your committer identity and your verified email address associated with your account on GitHub.com, then you can begin signing commits and signing tags. If you don't have a GPG key that matches your committer identity, you need to associate an email with an existing key.
No, it isn't necessary to keep it private.
The secret key is not in git's configs but in the GnuPG's "keyring", which is usually some file in your HOME. In theory it can also be in more secure locations, like hardware token, but I don't know much about it.
The value in git config only instructs gpg which secret key to select.
I'm not a security expert but I don't think that your signingkey must be kept private:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With