When a team signs their commits, it’s easy to verify the commits are actually from the team members.
If you don’t have a GPG key yet, generate one with gpg --gen-key
. Enter the info at the prompt, and then type gpg --list-secret-keys --keyid-format LONG
to view your key info.
At the line starting with sec
, the string between the /
and the space is your PUBLIC_KEY_ID. Note it down, and add run the following command to instruct git to use it:
git config user.signingkey PUBLIC_KEY_ID
git config gpg.program gpg
git config commit.gpgsign true
From now on, when you commit in that repo (or every repo if you used git config --global
) you commits will be signed and verified.
Next, upload your public key to GitHub to see your commit marked as "Verified". You can see your public key with the command gpg --armor --export PUBLIC_KEY_ID
.
Thanks @mayeenulislam, I just updated the gist.