Gitpod.io provides a online IDE development environment, that you can connect to your github account (or gitlab or bitbucket). You get also a command line. But signing commits is a bit more tricky.

You’ll need to transfer your private key (uh, dangerous) to the gitpod environment, import it into gnupg and use it with the command line git client. Note, that signing commits with vs code or theia doesn’t seem to be supported (eclipse-theia/theia#6299).

So, here is a small recipe that seems to be working:

  1. Export your private key as a base64 string:

    gpg --export-secret-keys <key-id> | base64 -w 0

  2. Put this into a variable in gitpod: https://gitpod.io/variables

    I named my variable “GNUPG_KEY”.

  3. Start a new workspace, e.g. by prefixing your github url with https://gitpod.io/#

    Now import the key with

    gpg --verbose --batch --import <(echo $GNUPG_KEY|base64 -d)

  4. Verify with gpg -K that the secret is indeed imported

  5. Configure gpg to use direct pin mode entry:

    echo 'pinentry-mode loopback' >> ~/.gnupg/gpg.conf

  6. Change some file and commit it with signing:

    git commit --gpg-sign --message="test"

    You should need to enter your secret key password now.

  7. Verify with git log --show-signature that the commit is signed.

You could add the steps into your .gitpod.yml as described in Have Gitpod-based commits GPG-signed #666, e.g.

tasks:
  - before: >
      [[ ! -z $GNUPG_KEY  ]] &&
      gpg --verbose --batch --import <(echo $GNUPG_KEY|base64 -d) &&
      echo 'pinentry-mode loopback' >> ~/.gnupg/gpg.conf