Add GPG keys to verify signed commits

PulseUno enables you to sign Git commits using GnuPG (GPG) keys.

Note: This functionality is available only with the PulseUno Git server.

GPG key guidelines

To configure commit signing, you need a pair of GPG keys:

  • public key, which you add to your PulseUno account to verify commits.
  • private key, which you use to encrypt commits from the Git command line. Store this key in a secure place on your local system.

When you push a commit signed with your private GPG key, PulseUno checks the signature against the corresponding public GPG key in your PulseUno account. If the email address provided in the private key matches the email address in PulseUno, the signature is verified.

PulseUno applies the following labels to signed commits:

Verified Commits signed with a verified GPG key of the user who made the commit.
Unverified Commits signed with an unknown GPG key or with a GPG key of another user.

PulseUno supports the following GPG key types:

  • RSA 1024–4096 (RSA 3072 or RSA 4096 are recommended)

  • DSA 1024–3072 (not recommended due to safety reasons)

  • ECC Curve25519, or ED25519 (recommended as the most secure option)

  • ECC NIST P-384, or nistP384

  • ECC Brainpool P-256, or brainpoolP256r1

If you don't have GPG keys, download and install the GnuPG command-line tool from the GnuPG download page. Then generate a key pair. For details, see the GnuPG documentation. Because GPG keys require your email address, make sure to provide your PulseUno account email.

Back to top

Add GPG public key

When you have a pair of GPG keys, add the public key to PulseUno.

To add a public GPG key:

  1. Click the user avatar on the top navigation bar, and select Preferences.

  2. On the sidebar, select Preferences > GPG Keys.
  3. On the GPG Keys page, click New GPG Key .

  4. In the Key box, enter the public key from the GPG key pair, starting with this line:

    -----BEGIN PGP PUBLIC KEY BLOCK-----

  5. Click Save.

After adding a GPG key to PulseUno, configure your Git command-line tool to use the key. For details, see the documentation for your Git client.

To permit only signed commits in a Git repository or branch, define a branch policy with the appropriate commits restrictions. For details, see Define branch policies.

Back to top

See also: