Skip to content

Instantly share code, notes, and snippets.

@dileepadev

dileepadev/gpg-config.md

Created July 10, 2025 14:58
Show Gist options
  • Save dileepadev/d31c25c59570887eda37d75279651c05 to your computer and use it in GitHub Desktop.
Save dileepadev/d31c25c59570887eda37d75279651c05 to your computer and use it in GitHub Desktop.
Download ZIP
Configuring GPG Commit Signing with GitHub
Raw
gpg-config.md

Configuring GPG Commit Signing with GitHub

Ensure your commits on GitHub are verifiable and secure by signing them with GPG. Follow the steps below to set up GPG commit signing.

Step 1: Generate a GPG Key

Open your terminal (Git Bash Recommended) and run:

gpg --full-generate-key

When prompted, choose the following options:

  • Key type: ECC (sign and encrypt) *default*
  • Elliptic curve: Curve 25519 *default*
  • Expiration: Choose an expiration date or select "0" for no expiration
  • Name: Enter your full name
  • Email: Enter the email address associated with your GitHub account

GnuPG needs to construct a user ID to identify your key.

  • Real name: Enter a name. e.g., my-pc
  • Email address: Enter an email. e.g., <[email protected]>
  • Comment: Enter a comment. e.g., main

You selected this USER-ID: "my-pc (main) [email protected]"

Next, enter a passphrase

This process creates a new GPG key pair on your system.

Step 2: Find Your GPG Key ID

To list your GPG keys and find the ID of the key you just created, run:

gpg --list-secret-keys --keyid-format LONG

The output will look something like this:

...
---------
sec   df34344/53342B0F19EC835B 2025-07-10 [SC] [expires: 2026-01-06]
      1234ABCD5678EF90ABCDEF1234567890ABCDEF12
uid           [ultimate] my-pc (main) <[email protected]>
ssb   cv34456/BADRCDEF123456R4 2025-07-10 [E] [expires: 2026-01-06]

Copy the long key ID after the slash (/). In this example, it is:

53342B0F19EC835B

Step 3: Export Your Public GPG Key

To add your GPG key to GitHub, you need to export it in ASCII format:

gpg --armor --export 53342B0F19EC835B

This command outputs a block of text starting with:

-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----

Copy the entire output, including the BEGIN and END lines.

Step 4: Add Your GPG Key to GitHub

  1. In the upper-right corner of any page on GitHub, click your profile photo, then click Settings.
  2. In the sidebar, click SSH and GPG keys.
  3. Next to the "GPG keys" header, click New GPG key.
  4. In the "Title" field, type a name for your GPG key (e.g., "My Laptop GPG Key").
  5. In the "Key" field, paste the public key you copied earlier.
  6. Click Add GPG key.
  7. If prompted, authenticate to your GitHub account to confirm the action.

Step 5: Configure Git to Use Your GPG Key

Tell Git to use your GPG key for signing commits by running:

git config --global user.signingkey 53342B0F19EC835B

Enable commit signing by default:

git config --global commit.gpgsign true

This configuration ensures that all your commits are signed automatically.

Step 6: Create Signed Commits

Now, when you create commits, Git will sign them automatically. You need to enter the passphrase:

git commit -m "Your commit message"

Alternatively, to sign a specific commit:

git commit -S -m "Your commit message"

After pushing your commits to GitHub, they should display a green Verified badge, indicating they were signed with your GPG key.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment