I'm signing my Git commits and therefore my .gitconfig looks like this:
[commit]
gpgsign = true
[user]
name = myUser
email = myUser@users.noreply.github.com
signingkey = 0123456789012345
[credential "https://github.com"]
username = myUser
Now I'm wondering whether it is considered unsafe/a problem to put this file into my dotfiles repository, thinking in terms of leaking something secret with user.signingKey.
The config value of user.signingKey is public information anyway, there is no need to protect it. A key pair has a (public) id and that is what you specify here. The key id comprises the last digits of the key's fingerprint.
You can easily verify that the information is indeed public by taking any public key (without having the private key of the pair) and inspecting it with the gpg command line tool. Here's a simple public key created for demonstration purposes:
$ cat pubkey.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZp4m9RYJKwYBBAHaRw8BAQdAc5jOgXWQzjPnItp5zcWU/n3WpTAz+S99pGRE
imywNrS0LlN0YWNrb3ZlcmZsb3cgdGVzdCA8c3RhY2tvdmVyZmxvd0BleGFtcGxl
LmNvbT6ImQQTFgoAQRYhBGTh7pBxpq8gEzm/V/f2YL5/m0PDBQJmnib1AhsDBQkF
o5qABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEPf2YL5/m0PDuyYBAIBV
NFxX1CsbfOgB24GWPAG3crJIdGTioF8FFQNgc4jDAP99tAO0ATb/VTO/YQAfNxmU
y4sqHrbfH8++5w3RSLKZCLg4BGaeJvUSCisGAQQBl1UBBQEBB0AbNLuD+F890q7Y
yGA/N6fflVjlhVJsDI35UhBQed28LwMBCAeIfgQYFgoAJhYhBGTh7pBxpq8gEzm/
V/f2YL5/m0PDBQJmnib1AhsMBQkFo5qAAAoJEPf2YL5/m0PDriEA/Aj6BQV6u1FR
ci+bu/o+l2Ln4J7ZzZgTa9vGOpFeixQKAP4o2/mOCsqbRYbxTuN3XDpfoY5S+Mp0
ljDuSZD1dL7FCQ==
=9D88
-----END PGP PUBLIC KEY BLOCK-----
You can trivially extract the key id from the public key with gpg:
$ gpg --show-keys pubkey.asc
pub ed25519 2024-07-22 [SC] [expires: 2027-07-22]
64E1EE9071A6AF201339BF57F7F660BE7F9B43C3
uid Stackoverflow test <stackoverflow@example.com>
sub cv25519 2024-07-22 [E] [expires: 2027-07-22]
$ # or (unsecure, short ids):
$ gpg --list-packets < pubkey.asc | grep keyid:
keyid: F7F660BE7F9B43C3
keyid: 350EFC87BA3DB5D9
(one keyid for the key and one keyid for the sub key)
Or by looking at the raw data:
$ < pubkey.asc sed -n '/^$/,/=/p' | base64 -d | xxd | head
00000000: 9833 0466 9e26 f516 092b 0601 0401 da47 .3.f.&...+.....G
00000010: 0f01 0107 4073 98ce 8175 90ce 33e7 22da ....@s...u..3.".
00000020: 79cd c594 fe7d d6a5 3033 f92f 7da4 6444 y....}..03./}.dD
00000030: 8a6c b036 b4b4 2e53 7461 636b 6f76 6572 .l.6...Stackover
00000040: 666c 6f77 2074 6573 7420 3c73 7461 636b flow test <stack
00000050: 6f76 6572 666c 6f77 4065 7861 6d70 6c65 overflow@example
00000060: 2e63 6f6d 3e88 9904 1316 0a00 4116 2104 .com>.......A.!.
00000070: 64e1 ee90 71a6 af20 1339 bf57 f7f6 60be d...q.. .9.W..`.
00000080: 7f9b 43c3 0502 669e 26f5 021b 0305 0905 ..C...f.&.......
00000090: a39a 8005 0b09 0807 0202 2202 0615 0a09 ..........".....
If you look at offset 0x70, you will recognize the fingerprint/key id (64E1EE9071A6AF201339BF57F7F660BE7F9B43C3) again:
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
00000070: 64e1 ee90 71a6 af20 1339 bf57 f7f6 60be d...q.. .9.W..`.
00000080: 7f9b 43c3 0502 669e 26f5 021b 0305 0905 ..C...f.&.......
^^^^^^^^^