Raftech

Securely Manage Multiple GitHub Repositories with Gpg
-
0

Securely Manage Multiple GitHub Repositories with Gpg

raftech raftech
General
May 27, 2023

In this short article, I will share how our engineers in Raftech are handling multiple Github organizations with different GIT settings.

In this particular example, the settings we will refer to are GPG keys. These keys are connected to our GitHub accounts and verify our identity on the code commits. Thus, this increases the security of the repositories we work with and proves that the author is pushing the code.

What we achieve thanks to such setup results in commits with a status verified

How do we usually configure it?

Every git folder contains its configuration in the path of .git/config, which allows for specific customizations for that repo.

Locally in this repository, we could specify the properties for GPG signing key like

 [user]
    // .. other properties removed
    signingkey = 74C611D1F0AF9ABC

And then use the commit with the -s flag, which would sign our commits.

Multiple repositories with the same GPG key

That can be easily solved if you follow the documentation from Github https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-gpg-key

With that, you can configure a single key for all your repos. That brings us to the solution if you need multiple keys on different paths.

Enter the world of global git config with conditional include configurations.

Take the following structure as an example.

/ -
  - orgA
         - repoA1
         - repoA2
         - repoA..N
  - orgB 
         - repoB1
         - repoB2
         - repoB..N

If you configure separate settings for each repo, that would be counterproductive.

That’s why we will leverage git functionality to include configurations conditionally.

Create a ~/.gitconfig file ( if you do not have one yet ) and add the following includes ( make sure you modify the paths accordingly to your setup)

[includeIf "gitdir:/orgA/**/.git"]
 path = /path/to/.gitconfig-orgA

[includeIf “gitdir:/orgB/**/.git”]
path = /path/to/.gitconfig-orgB

Now respectively, you can set up the contents of the included configuration files. For example, to specify a GPG key and email address used for each of the repositories in the paths

[user]
 name = John Smith
 email = [email protected]
 signingkey = 22***AA
[user]
 name = JaySmth
 email = [email protected]
 signingkey = 33***BB

Conclusions

With this short article, we hope we have shared a straightforward way to keep your GitHub configurations organized and secure.

If you have another setup to work with multiple repos/org, leave a comment.

github gpg security
Related Posts
Leave a Reply

Your email address will not be published.Required fields are marked *

Close
Search

Hit enter to search or ESC to close

cookie By using this website, you agree to our cookie policy. Close