Using Fortanix Data Security Manager for Git Commit Signing

1.0 Introduction

This article describes how to use Fortanix Data Security Manager (DSM) with GitHub for Git Commit signing. GitHub allows users to sign their Git commits locally using GNU Privacy Guard (GPG), Secure Shell (SSH), or Secure/Multipurpose Internet Mail Extensions (S/MIME). GitHub will verify the Commit Signature using the GPG Public key associated with the GitHub account and mark it as verified so that other users will know that those commits come from a trusted source. For more details, refer to Managing commit signature verification - GitHub Docs.

2.0 Prerequisites

Install the Fortanix Sequoia-PGP client from here and follow the instructions in this article to install sq-dsm.

3.0 Steps to Sign Git Commits Locally

You can use Fortanix-DSM (through sq-dsm) to create a GPG key and sign their Git commits with the GPG key generated in DSM. Follow the steps below to sign a Git commit locally: 

  1. Sign up at This opens DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.
  2. Log in to the Fortanix DSM UI and create a new account if you do not have one.
  3. Create a group in the account that you created in Step 2.
  4. Create an application (app) with the default authentication method (API key) and interface REST API inside the group.
    For more details, refer to the Fortanix DSM Getting Started Guide.
  5. Set the following environment variables in your local environment:
    1. FORTANIX_API_KEY with the value of the API key.
    2. FORTANIX_API_ENDPOINT with the value of the Fortanix DSM URL.
  6. Create a GPG key using the following sq-dsm command. This command will generate a new key.
    sq-dsm key generate --dsm-key="<DSM-KEY-NAME>" --cipher-suite="<CIPHER-SUITE>" --userid="<EMAIL>"
    For example,
    sq-dsm key generate --dsm-key="git_key" --cipher-suite="nistp521" --userid="Alice <>"
    Fortanix DSM-SecurityObject.pngFigure 1: GPG key
  7. Extract the certificate (cert) using the following command. This command will convert a key to a cert and save it in gitkey.asc.
    sq-dsm key extract-cert --dsm-key="<DSM-KEY-NAME>" > gitkey.asc
    For example,
    sq-dsm key extract-cert --dsm-key="git_key" > gitkey.asc
  8. Add the generated GPG key to your GitHub account:
    1. In your GitHub account, Go to SettingAccessSSH and GPG Keys, and create a new GPG key.
    2. Enter the following details:
      • Title → The name of your GPG key.
      • Key → Paste the cert (gitkey.asc) from the previous step (Step 7).
    3. To confirm the action, authenticate with your GitHub account. CreateNewGPGKey.pngFigure 2: Create a new GPG key
  9. Create a .sh executable file with the following script (
    echo "[GNUPG:] BEGIN_SIGNING" >&2
    output=$(sq-dsm sign --detached --dsm-key "<DSM-KEY-NAME>")
    if echo "$output" | grep -q "approved"; then
        echo "$output" | sed '1,/approved/d'
    elif echo "$output" | grep -q "denied"; then
        exit 1;
        echo "$output"
    echo "[GNUPG:] SIG_CREATED D" >&2
    exit 0;
    Or you can also use the following batch script as an alternative to the above shell script based on your requirement. Replace <DSM-KEY-NAME> with your DSM GPG key name, in the above script.
    @echo off
    setlocal enabledelayedexpansion
    echo "[GNUPG:] BEGIN_SIGNING" >&2
    (set newline=^
    %=this line is empty=%
    for /f "delims=" %%i in ('sq-dsm sign --detached --dsm-key "<DSM-KEY-NAME>"') do (
        set "line=%%i"
        set "output=!output!%%i!newline!"
        echo "!line!" | findstr "approved" > nul 
        if !errorlevel! equ 0 (
          set "output="
        echo "!line!" | findstr "denied" > nul 
        if !errorlevel! equ 0 (
          exit /b 1
        echo "!line!" | findstr "BEGIN" > nul
        if !errorlevel! equ 0 (
          set "output=!output!!newline!"
    echo !output!
    echo "[GNUPG:] SIG_CREATED D" >&2
    exit /b 0
    Replace <DSM-KEY-NAME> with your DSM GPG key name, in the above scripts. For example,
    sq-dsm sign --detached --dsm-key "git_key"
  10. Set the local Git configuration using the following steps.
    1. Unset the configuration using the following command to use the default format of open pgp.
      git config --global --unset gpg.format
    2. Set the primary GPG signing key in Git using the following command.
      git config --global user.signingkey <Key ID>
      Replace the <Key ID> with the Key ID of the GPG key added to your GitHub account as described in Step 8 above.
    3. Set the GPG program in Git using the following command.
      git config --global gpg.program /path/to/
    4. Your GPG key must be associated with a GitHub-verified email linked to your GitHub account that matches your committer identity
      Set your EMAIL used for key creation in Fortanix DSM as in Git using the following command, and also ensure that it is a verified email in your GitHub account.
      git config --global <EMAIL>
    5. Optionally, you can use the following command to configure Git to sign all commits by default.
      git config --global commit.gpgsign true
  11. When committing changes, add the -S (note that ‘S’ must be capitalized) flag to the git commit command if commit.gpgsign was not set to true.
    For example:
    git commit -S -m "commit message"

4.0 Signed Git Commit

You will now get Signed Git Commits as shown in the figure below. Result.pngFigure 3: Signed Got commit

5.0 References

Managing commit signature verification - GitHub Docs


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful