Configure GPG Signing for Git Commits
Install the Open Source Package gnupg2
The open source package gnupg2 is required for GPG signing of Git commits. This must be installed on the IBM i. The easiest method to install it is by using the Open Source Package Management tool in IBM i ACS. Full instructions for Open Source Package Management is found here: https://www.ibm.com/support/pages/getting-started-open-source-package-management-ibm-i-acs.
Generate a GPG Key for the MD Service User
Start a SSH Bash Terminal Session on the IBM i using the MD Service User Credentials
The MD Service User is the user profile that the MDGIT Service job runs under. This user is defined in the MDCMS System Settings parameter MD Service User Profile.
Before connecting, ensure that IFS directory /home/CRTDIR DIR('/home/<service_user>').
On your PC, start a bash terminal or command window and use the ssh <service_user>@<ibm_i_hostname> command to connect to the IBM i using the MD Service User's credentials. Replace <service_user> with the actual service user name and <ibm_i_hostname> with the hostname of the IBM i.
You will need to know the password for the service user to sign in, unless SSH keys are already configured and known for that user.
Set the Path Environment Variable
Use command PATH=/QOpenSys/pkgs/bin:$PATH followed by command export PATH to ensure that the gnupg2 executable can be found in the terminal session.
Generate the GPG Key
Use the command gpg --full-generate-key to generate a GPG key for the MD Service User. When prompted, select the following options: - Key type: RSA and RSA (option 1) - Key size: 4096 bits - Key expiration: No expiration (option 0), unless you have specific requirements for expiring keys
- Real Name: Enter a user ID name that matches the Committer Name parameter for the Git Commit Template. - Email Address: Enter the email address associated with the Committer Name. This must match the Committer Email parameter for the Git Commit Template. - Comment: This is optional and can be left blank or used to provide additional information about the key. - Type O to confirm the information and continue to the next step or press one of the other options to edit the information you entered. - Passphrase: Enter a secure passphrase to protect the GPG key. You will need to store this passphrase in the New GPG Passphrase parameter for the Git Commit Template. - Repeat Passphrase: Enter the same passphrase again to confirm. - After completing these steps, the GPG key will be generated if enough movement is occuring in the terminal to generate entropy for the key generation process. If not, you may need to move your mouse or type random characters in the terminal until the key is generated.
Retrieve the GPG Key ID
After the GPG key is generated, use the command gpg --list-secret-keys to retrieve the key ID for the GPG key. The key ID is the 40-character hexadecimal string associated with the GPG key. You will need to enter this key ID in the GPG Key parameter for the Git Commit Template.
Import the GPG Public Key to Git Hosting Service
If you are using a Git hosting service such as GitHub, GitLab or Bitbucket, you will need to import the GPG public key to the hosting service in order for the GPG signatures to be verified and displayed on commits.
Use the command gpg --armor --export <key_id> to export the GPG public key in ASCII-armored format, where <key_id> is the 40-character hexadecimal key ID for the GPG key. Copy the entire output, including the -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK----- lines.
Then, follow the instructions for your specific Git hosting service to add a new GPG key to the account used in the Git Repository Credentials and paste the copied public key into the appropriate field.