Using signed commits on GitHub

A quick tutorial on setting up signed commits for GitHub-hosted git repositories.

Florimond Manca,

You can sign git commits with a GPG key to guarantee that they were made by you.

On GitHub, they show up like this:

The looks of signed commits on GitHub (2018).
The looks of signed commits on GitHub (2018).

Recently I set up personal repositories on a work laptop, using a separate git config. As I was configuring the "personal" git config, I couldn't remember how to enable signed commits for committing to GitHub-hosted repositories.

I do have an old Tweet about this, but I figured I might as well turn this into a quick blog post.

Note: this is specific to GitHub, which has signed commits docs spread across multiple pages of their documentation. For reference, Gitlab has an single-page guide, which looks much easier to follow.

Step 1: Generate GPG keys

On Linux:

$ sudo apt install gnupg
$ gpg --gen-key

Fill in your name and email, optionally set a pass phrase.

Step 2: Let git know

See this GitHub docs page:

$ gpg --list-secret-keys --keyid-format=long <EMAIL>

Identify the sec line and grab thelong form, which begins after the slash /, eg:

sec   rsa3072/<GPG_KEY_ID> 2022-07-02 [SC] [expires: 2024-07-01]

Add it to your global git config, at ~/.gitconfig. For me, /.gitconfig-florimondmanca (my personal git config) now looks like this:

    name = florimondmanca
    email = <EMAIL>
    signingkey = <GPG_KEY_ID>
    gpgsign = true

commit.gpgsign = true enables auto-signing of git commits.

Step 3: Add GPG key to GitHub

Generate the GPG public key from the long form GPG key ID:

$ gpg --armor --export <GPG_KEY_ID>

Copy the output, then add it to your GitHub account.

Should be all set. Now try pushing a commit, and you should see that green "Verified" badge on commits or pull requests.