Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should I keep gitconfig's "signingKey" private?

I have recently set up GPG to sign my Git commits so now I have a signingKey field in my gitconfig. I'm not very familiar with details of GPG – is this signingKey a sensitive piece of information that I should keep private or does it fall into the public part of gpg? I have my gitconfig in a public repo where I keep my dotfiles and I was wondering if it's ok to have that field visible.

like image 251
Milad Avatar asked Jan 02 '18 17:01

Milad


People also ask

Can I have multiple users in Gitconfig?

With conditional includes in Git 2.13, it is now possible to have multiple user/email coexist on one machine with little work. user. gitconfig has my personal name and email.

What is Signingkey in Git?

Once you have a private key to sign with, you can configure Git to use it for signing things by setting the user. signingkey config setting. $ git config --global user.

What is signing key in GitHub?

If you're using a GPG key that matches your committer identity and your verified email address associated with your account on GitHub.com, then you can begin signing commits and signing tags. If you don't have a GPG key that matches your committer identity, you need to associate an email with an existing key.


2 Answers

No, it isn't necessary to keep it private.

The secret key is not in git's configs but in the GnuPG's "keyring", which is usually some file in your HOME. In theory it can also be in more secure locations, like hardware token, but I don't know much about it.

The value in git config only instructs gpg which secret key to select.

like image 50
max630 Avatar answered Sep 26 '22 17:09

max630


I'm not a security expert but I don't think that your signingkey must be kept private:

  • .gitconfig file doesn't contain any critical data (like private keys), hence many people share it on their GitHub dotfiles repository, including their signing key.
  • If it were to be kept private, GitHub wouldn't show it publicly when you click on "verified" button in a signed commit:

GPG key ID

like image 21
Deniz Avatar answered Sep 22 '22 17:09

Deniz