I have recently set up GPG to sign my Git commits so now I have a signingKey field in my gitconfig. I'm not very familiar with details of GPG – is this signingKey a sensitive piece of information that I should keep private or does it fall into the public part of gpg? I have my gitconfig in a public repo where I keep my dotfiles and I was wondering if it's ok to have that field visible.
Asked
Active
Viewed 4,401 times
2 Answers
33
No, it isn't necessary to keep it private.
The secret key is not in git's configs but in the GnuPG's "keyring", which is usually some file in your HOME. In theory it can also be in more secure locations, like hardware token, but I don't know much about it.
The value in git config only instructs gpg which secret key to select.
-
I'm guessing this is a "yes"? – Igbanam Sep 08 '18 at 10:56
-
14It's a no @iGbanam – manniL Sep 22 '18 at 10:20
13
I'm not a security expert but I don't think that your signingkey must be kept private:
- .gitconfig file doesn't contain any critical data (like private keys), hence many people share it on their GitHub dotfiles repository, including their signing key.
- If it were to be kept private, GitHub wouldn't show it publicly when you click on "verified" button in a signed commit:
Deniz
- 793
- 11
- 20
-
7You say that it needn't be private, yet ironically masked out the key ID from the screenshot. – jamesdlin May 10 '21 at 04:59
-
9This is similar to posting your yearbook photo on a public forum. There is no security/privacy concern since you don't show your credit card number in the picture, but you'd still prefer not be exposed to thousands of random people on the internet. This is the difference between the privacy (security of content) and the anonymity (security of identity). – Deniz May 12 '21 at 16:30
-