Failing to generate signed commits through github actions

Hi! I recently found out that the commits that I made through Github Actions did not have a Verified Badge. However I want all of my commits to be verified. I tried to create a GPG key, send it in several keyservers and then use it in the actions to sign my commits. But sadly all of my such attempts failed.

Can anyone help me to make signed commits through Github Actions? Here is my code.

Note: Please suggest me actual codes wihout telling me to use others scrits (through the use keyword).

Uploading your key to key servers isn’t going to help much: To make a signature you’d need to make the private key available to the runner, too. Up to you if you want to take that risk, if you do I recommend at least using a separate sign-only subkey, or better a whole different key pair.

Another question is whether signing commits you haven’t actually looked at is a good idea anyway. :sweat_smile:

1 Like

I used Secrets too hide my credentials, so it is relatively safe as Github Never reveals them even to user itself (which is me).

Can you please give me some code lines? I am actually new to GPG. Didn’t worked much with it.

And what are subkeys?

(And yes I selected sign only when generating the key. Is that what you mean’t?)

I’m sorry, I should have been clearer: You should never, ever share your personal private key (also called “secret key”) with anyone or anything. This is not specifically about GitHub Actions or Secrets, it’s a fundamental security rule. That key lets people impersonate you.

What gets uploaded to the key servers is the matching public key which in this case can be used to verify the signatures you made. This lets people check if the code really came from you, as long as you actually keep the private key private (and they got the right public key). An automated system using your key breaks that security assumption.

The Linux kernel documentation has a pretty thorough guide to what code signing is for and (very thorough) safety procedures here.

My main point is: Never, ever share your personal private key. :warning:

What looks like one key pair in GPG is usually (not always) two: One for signing certificates and data, one for encrypting data. You can also separate the first two purposes, and add a key pair for authentication. I guess the “sign only” option skipped generating the encryption pair.

Using a “sign-only” subkey for an automated system would be damage mitigation: It could be used to make code look like it came from you, but not to sign more keys in your name.

Now what?

My recommendation is: Nothing. Unless you have a very special use case you gain nothing (other than green badges) for a lot of effort.

If you still want to sign the automated commits, generate a completely separate key pair (not just a subkey) and mark it clearly as being for automated code signing. For example, you could put something like “touhidurr (automated code signing)” as the name. This is to let people know that the code signed with it comes from an automation you set up, not you personally.

Then you need to export the private key to a file (gpg has an option for that). Use the --armor option to get a text form. I’m not sure if it’ll fit into a secret, otherwise look at Limits for secrets to store a file encrypted with a secret.

In your workflow import that key into the GPG keyring, and then sign. I’m not sure how to handle passphrases for GPG in Actions, you might have to figure that out, or how to export the private key without one.

1 Like