Version Control
Git is the standard for version control and it is already installed on Kubuntu. This page is not a Git tutorial: it covers the specific configuration that makes Git work well with the rest of the desktop setup built in this series. GPG commit signing via the Yubikey, SSH authentication via the GPG agent, and the GitHub integration that ties everything together.
Installation
Git is available in the Ubuntu repositories. The version in the repositories is kept reasonably current:
sudo apt install git git-extras
git-extras adds a set of useful supplementary commands: git summary, git changelog, git ignore, git back, and others worth knowing about.
Verify the version:
git --version
Global configuration
Global Git configuration is stored in ~/.gitconfig. Set it using git config --global rather than editing the file directly, which handles escaping and formatting correctly.
Identity
git config --global user.name "Your Name"
git config --global user.email "you@yourdomain.net"
The email address must match one of the email addresses associated with your GitHub account (or whichever forge you use) for commits to be attributed correctly.
Default branch name
git config --global init.defaultBranch main
Sets the default branch name for new repositories to main rather than the legacy master.
Default editor
git config --global core.editor "nano"
Or if you prefer VS Code:
git config --global core.editor "code --wait"
GPG commit signing
Git can sign commits, merges, and tags with your GPG key. GitHub and other platforms display a verified badge on signed commits, confirming they came from the holder of the key.
With the GPG key and Yubikey configured as covered earlier in this series, set the signing key and enable automatic signing:
git config --global user.signingKey $GPGKEY
git config --global commit.gpgSign true
git config --global tag.gpgSign true
git config --global log.showSignature true
git config --global merge.verifySignatures true
git config --global push.gpgSign if-asked
The commit.gpgSign true setting means every commit is signed automatically without needing to pass -S manually. When the Yubikey is present, the GPG agent handles the signature using the signing subkey on the card. The Qt pinentry dialog prompts for the PIN and a touch if touch confirmation is enabled.
Verify signing works:
cd /tmp
git init test-repo
cd test-repo
git commit --allow-empty -m "test signed commit"
git log --show-signature
The output should include Good signature from with your key details.
Credential storage
For HTTPS connections to GitHub or other forges, Git needs somewhere to store credentials. The modern approach on Kubuntu is to use the Git credential manager via the system keyring rather than the older in-memory cache:
sudo apt install libsecret-1-0 libsecret-1-dev
sudo make --directory=/usr/share/doc/git/contrib/credential/libsecret
git config --global credential.helper \
/usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret
This stores credentials in KWallet (via the libsecret interface), so they persist across sessions without ever being written to a plaintext file.
Alternatively, if you use SSH exclusively (which is the recommended approach below), credential storage is not needed at all.
Useful defaults
# Show diffs in a more readable format
git config --global diff.algorithm histogram
# Automatically set up remote tracking branches
git config --global push.autoSetupRemote true
# Rebase rather than merge when pulling
git config --global pull.rebase true
# Automatically stash before rebase
git config --global rebase.autoStash true
# Show colour output
git config --global color.ui auto
# Better conflict markers
git config --global merge.conflictstyle diff3
SSH configuration for GitHub
Using the GPG authentication subkey
If your GPG authentication subkey is on the Yubikey and the GPG agent is configured with SSH support (as covered in the GPG SSH section), GitHub SSH connections use the same key as SSH connections to your servers. No separate SSH key is needed.
Add the GPG agent SSH socket to your ~/.ssh/config for GitHub connections:
Host github.com
HostName github.com
User git
IdentityAgent ${SSH_AUTH_SOCK}
IdentitiesOnly yes
Export your SSH public key from the GPG agent:
ssh-add -L
Copy the output and add it to your GitHub account at https://github.com/settings/keys under SSH keys.
Test the connection:
ssh -T git@github.com
A successful response:
Hi yourusername! You've successfully authenticated, but GitHub does not provide shell access.
Port 443 fallback
Some networks block outbound SSH on port 22. GitHub also accepts SSH connections on port 443, which is almost never blocked:
Host github.com
HostName ssh.github.com
Port 443
User git
IdentityAgent ${SSH_AUTH_SOCK}
IdentitiesOnly yes
To test whether port 443 SSH to GitHub works from your current network:
ssh -T -p 443 git@ssh.github.com
Adding your GPG key to GitHub
GitHub can verify signed commits if your GPG public key is added to your account. Export the minimal public key:
gpg --export-options export-minimal --armor --export $GPGKEY
Copy the output and add it to your GitHub account at https://github.com/settings/keys under GPG keys. Once added, signed commits on GitHub show a green Verified badge.
Personal access tokens
If you use HTTPS for some GitHub operations (for example, with tools that do not support SSH), generate a personal access token rather than using your password. GitHub accounts with two-factor authentication (which yours should have) require tokens for HTTPS authentication.
Generate a token at https://github.com/settings/tokens. Use fine-grained tokens where possible, scoped to the specific repositories and permissions needed rather than a broad classic token.
Store the token in KeePassXC under Infrastructure > GitHub > Personal Access Token.
Meld: visual diff and merge tool
Meld is the best visual diff and merge tool available on Linux. It integrates cleanly with Git for resolving merge conflicts and reviewing diffs interactively.
sudo apt install meld
Configure Git to use Meld as the default diff and merge tool:
git config --global diff.tool meld
git config --global merge.tool meld
git config --global difftool.meld.cmd 'meld "$LOCAL" "$REMOTE"'
git config --global mergetool.meld.cmd 'meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"'
git config --global difftool.prompt false
git config --global mergetool.prompt false
To open a visual diff of uncommitted changes:
git difftool
To open Meld for a merge conflict:
git mergetool
Meld shows a three-way view during merges: the local version on the left, the base version in the middle, and the remote version on the right. Use the arrow buttons to pull changes from either side into the merged result.
The full ~/.gitconfig
After all the configuration above, ~/.gitconfig should look similar to this. Verify with git config --global --list:
[user]
name = Your Name
email = you@yourdomain.net
signingKey = 0x0123456789ABCDEF
[init]
defaultBranch = main
[core]
editor = nano
[commit]
gpgSign = true
[tag]
gpgSign = true
[log]
showSignature = true
[merge]
verifySignatures = true
tool = meld
conflictstyle = diff3
[push]
gpgSign = if-asked
autoSetupRemote = true
[pull]
rebase = true
[rebase]
autoStash = true
[diff]
tool = meld
algorithm = histogram
[difftool "meld"]
cmd = meld "$LOCAL" "$REMOTE"
[mergetool "meld"]
cmd = meld "$LOCAL" "$BASE" "$REMOTE" --output "$MERGED"
[difftool]
prompt = false
[mergetool]
prompt = false
[color]
ui = auto
[credential]
helper = /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret
Dolphin Git integration
The dolphin-plugins package installed in the toolbox section adds Git status indicators to Dolphin and a right-click context menu for common Git operations. Right-click any file or directory in a Git repository to access commit, diff, log, and push without opening a terminal.
The GPG signing configuration requires the
GPGKEYenvironment variable to be set in~/.bashrc. If commit signing fails with “error: gpg failed to sign the data”, check that$GPGKEYis set in your current session and that the GPG agent is running. If the Yubikey is required, verify it is inserted.