Gitsign Installation

Installing Gitsign

You can install Gitsign on your system with the Go installer, via Homebrew, or with one of the available downloadable packages. Releases are published in the Gitsign repository under the Releases page.

Installing Gitsign with Go 1.17+

If you have Go 1.17+, you can install Gitsign with:

go install github.com/sigstore/gitsign@latest

The resulting binary will be placed at $GOPATH/bin/gitsign.

Installing Gitsign with Homebrew

If you are using Homebrew as a package manager for macOS or Linux, you can use it to install Gistign. Use brew tap to add Sigstore's repository to your system, then run brew install to get it installed:

brew tap sigstore/tap
brew install gitsign

Installing Gitsign with the .deb Package (Debian / Ubuntu Linux)

Check the releases page for the latest release, and download the appropriate .deb file.

wget https://github.com/sigstore/gitsign/releases/download/v0.1.0/gitsign_0.1.0_linux_amd64.deb
sudo dpkg -i gitsign_0.1.0_linux_amd64.deb

Installing Gitsign with the .rpm Package (Fedora Linux)

Check the releases page for the latest release, and download the appropriate .rpm file.

wget https://github.com/sigstore/gitsign/releases/download/v0.1.0/gitsign_0.1.0_linux_amd64.rpm
rpm -ivh gitsign_0.1.0_linux_amd64.rpm

Checking your Installation

Once you finish installing Gitsign, you can test that it is functional and ensure that it can be found on your $PATH by running a gitsign command.

gitsign --help

You'll get output similar to the following.

Usage: gitsign [-abhsv] [--include-certs n] [--status-fd n] [-t url] [-u USER-ID] [--verify] [files]
 -a, --armor                    create ascii armored output
 -b, --detach-sign              make a detached signature
 -h, --help                     print this help message
     --include-certs=n          -3 is the same as -2, but ommits issuer
                                when cert has Authority Information
                                Access extension. -2 includes all certs
                                except root. -1 includes all certs. 0
                                includes no certs. 1 includes leaf cert.
                                >1 includes n from the leaf. Default -2.
 -s, --sign                     make a signature
     --status-fd=n              write special status strings to the file
                                descriptor n.
 -t, --timestamp-authority=url  URL of RFC3161 timestamp authority to
                                use for timestamping
 -u, --local-user=USER-ID       use USER-ID to sign
     --verify                   verify a signature
 -v, --version                  print the version number

Troubleshooting

If you get an error such as command not found, it may be the case that your $PATH does not include the relevant bin directories where Gitsign should be installed.

If you installed Gitsign with Go, make sure you have your Go bin directory added to your $PATH.

Configuring Git to use Gitsign

After installing Gitsign on your system and making sure it is functional, you’ll need to tell Git that you want to use Gitsign to sign your commits from now on, whether locally on a project-based configuration or globally, which will be valid for commits made from your current system to any project.

Single Repository (Local Config):

cd /path/to/my/repository
git config --local commit.gpgsign true  # Sign all commits
git config --local gpg.x509.program gitsign  # Use Gitsign for signing
git config --local gpg.format x509  # Gitsign expects x509 args

All Repositories (Global Config):

git config --global commit.gpgsign true  # Sign all commits
git config --global gpg.x509.program gitsign  # Use gGtsign for signing
git config --global gpg.format x509  # Gitsign expects x509 args
Edit this page on GitHub Updated at Fri, Jun 24, 2022