GPG Commit Signing on Windows
Table of Contents
I like to sign my git commits with my GPG key, as it adds some extra verification that
it truly is me writing code. Git takes the
user.email field at
face-value, and I’ve definitely had instances where the origin of a commit was unclear
due to misconfiguration. By signing commits, it is without a doubt me that created
that commit. Also I get a nice “Verified” icon in GitHub.
I really struggled to get GPG signing set up on Windows with some of my workflows. While Windows itself wasn’t too hard, getting WSL to work took some struggling, and then using Dev Containers (one of my favorite tools lately) was even more pain with minimal documentation available.
Below is what I have figured out and have working for myself.
First, you need to install GPG on Windows. The easiest way to do this is to use winget and install git:
1winget install git.git
The GPG program will be available at
git this with:
1git config --global gpg.program "C:\Program Files\Git\usr\bin\gpg.exe"
Finally, either generate or load existing keys.
Generate a key:
Load a key:
1& "C:\Program Files\Git\usr\bin\gpg.exe" --import "path\to\key\key.privkey"
In order to get Dev Containers to work, GPG will also need to be installed in WSL, as the keys loaded in WSL get copied into Dev Containers. Install the following:
1sudo apt install gpg gnupg2 socat
Configure GPG to use the pin entry program installed in Windows and reload the agent.
When you commit in WSL, this will use the pin entry program installed in Windows. Otherwise I’ve found it will not work with Dev Containers.
Now, load the same key you loaded in Windows:
1gpg --import "/mnt/c/Users/path/to/key.privkey"
For both Windows and WSL, configure
git to use your GPG key to sign commits:
Lastly, to be able to sign commits in a Dev Container, you’ll need to install GPG in the container, and override your git config to point at that installation.
1apt update && apt install gnupg2 -y && git config gpg.program gpg2
1apk add gnupg && git config gpg.program gpg
As your keyring and git config from WSL get copied in to the container, this should work automatically.
Do be warned that this changes the git config for the current repo. If this is a repo that you open both in a Dev Container and Windows/WSL, this will cause havoc. I highly recommend using the “Clone in Volume” option when creating the Dev Container to avoid this.
With all of this set up, you should now be able to sign your commits while developing on Windows no matter if you’re using Windows directly, WSL, or a Dev Container.