Skip to content

Instantly share code, notes, and snippets.

@mukolweke

mukolweke/how-to-setup-verified-commits.md

Forked from Beneboe/how-to-setup-verified-commits.md
Created August 21, 2022 11:57
Show Gist options
  • Save mukolweke/ed24b5f8f5936d1dc8edd2e6343bc737 to your computer and use it in GitHub Desktop.
Save mukolweke/ed24b5f8f5936d1dc8edd2e6343bc737 to your computer and use it in GitHub Desktop.
Download ZIP
How to Setup Verified Commits on Github
Raw
how-to-setup-verified-commits.md

How to Setup Verified Commits

Quick guide on how to setup git signing. Information is aggregated from following sources:

Creating GPG Keys

  1. First, generate a GPG key pair. Your GPG key must use RSA with a key size of 4096 bits.
$ gpg --full-generate-key
  1. At the prompt, specify the kind of key you want, or press Enter to accept the default RSA and RSA.
  2. Enter the desired key size. We recommend the maximum key size of 4096.
  3. Enter the length of time the key should be valid. Press Enter to specify the default selection, indicating that the key doesn't expire.
  4. Verify that your selections are correct.
  5. Enter your user ID information.

When asked to enter your email address, ensure that you enter the verified email address for your GitHub account. To keep your email address private, use your GitHub-provided no-reply email address. For more information, see "Verifying your email address" and "About commit email addresses."

  1. Type a secure passphrase.
  2. Use the gpg --list-secret-keys --keyid-format LONG command to list GPG keys for which you have both a public and private key. A private key is required for signing commits or tags. From the list of GPG keys, copy the GPG key ID you'd like to use. In this example, the GPG key ID is 3AA5C34371567BD2:
$ gpg --list-secret-keys --keyid-format LONG
/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid                          Hubot
ssb   4096R/42B317FD4BA89E7A 2016-03-10
  1. Paste the text below, substituting in the GPG key ID you'd like to use. In this example, the GPG key ID is 3AA5C34371567BD2:
$ gpg --armor --export 3AA5C34371567BD2
# Prints the GPG key ID, in ASCII armor format
  1. Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.

Adding a new GPG key to your GitHub account

  1. In the upper-right corner of any page, click your profile photo, then click Settings.
  2. In the user settings sidebar, click SSH and GPG keys.
  3. Click New GPG key.
  4. In the "Key" field, paste the GPG key you copied when you generated your GPG key.
  5. Click Add GPG key.
  6. To confirm the action, enter your GitHub password.

Getting GPG Keys

  1. Open Git Bash
  2. Use the gpg --list-secret-keys --keyid-format LONG command to list GPG keys for which you have both a public and private key. A private key is required for signing commits or tags.
  3. From the list of GPG keys, copy the GPG key ID you'd like to use. In this example, the GPG key ID is 3AA5C34371567BD2:
$ gpg --list-secret-keys --keyid-format LONG
/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid                          Hubot
ssb   4096R/42B317FD4BA89E7A 2016-03-10

Git Settings

To set your GPG signing key in Git, paste the text below, substituting in the GPG key ID you'd like to use. In this example, the GPG key ID is 3AA5C34371567BD2:

$ git config --global user.signingkey 3AA5C34371567BD2

To tell git to automatically sign commits you can set:

$ git config --global commit.gpgsign true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment