If you don’t have a GPG key, create one specifically for Flipt:
Copy
Ask AI
# Generate a new GPG keygpg --full-generate-key# Select RSA and RSA (default)# Choose 4096 bits for maximum security# Set expiration (recommended: 2 years)# Enter details:# Real name: Flipt Bot# Email: flipt@yourcompany.com# Comment: Flipt configuration signing
Export your private key for storage in your secrets provider:
Copy
Ask AI
# Export private key (replace with your key ID)gpg --export-secret-keys --armor flipt@yourcompany.com > flipt-signing-key.asc# The key ID can be found with:gpg --list-secret-keys flipt@yourcompany.com
Deploy your updated configuration and start or restart your Flipt server.Flipt will now automatically sign all commits to your flag configuration repository.
After enabling signing, verify that new commits are being signed:
Copy
Ask AI
# Clone your flag repositorygit clone https://github.com/company/flags.gitcd flags# Check recent commits for signaturesgit log --show-signature -5# Look for GPG signature verificationgit verify-commit HEAD
This guide showed how to configure GPG commit signing for Flipt v2 with GitHub. Your flag configuration changes will now be cryptographically signed, providing enhanced security and audit capabilities.You can now use Flipt to manage your flags with verified commit signatures that prove the authenticity and integrity of your configuration changes.If you have any questions or feedback, please reach out to the Flipt team on Discord or GitHub Discussions.References: