Using signed commits on GitHub
A quick tutorial on setting up signed commits for GitHub-hosted git repositories.
You can sign git commits with a GPG key to guarantee that they were made by you.
On GitHub, they show up like this:
Recently I set up personal repositories on a work laptop, using a separate git config. As I was configuring the "personal" git config, I couldn't remember how to enable signed commits for committing to GitHub-hosted repositories.
I do have an old Tweet about this, but I figured I might as well turn this into a quick blog post.
Note: this is specific to GitHub, which has signed commits docs spread across multiple pages of their documentation. For reference, Gitlab has an single-page guide, which looks much easier to follow.
Step 1: Generate GPG keys
On Linux:
$ sudo apt install gnupg
$ gpg --gen-key
Fill in your name and email, optionally set a pass phrase.
Step 2: Let git know
See this GitHub docs page:
$ gpg --list-secret-keys --keyid-format=long <EMAIL>
Identify the sec line and grab thelong form, which begins after the slash /, eg:
sec rsa3072/<GPG_KEY_ID> 2022-07-02 [SC] [expires: 2024-07-01]
Add it to your global git config, at ~/.gitconfig. For me, /.gitconfig-florimondmanca (my personal git config) now looks like this:
[user]
name = florimondmanca
email = <EMAIL>
signingkey = <GPG_KEY_ID>
[commit]
gpgsign = true
commit.gpgsign = true enables auto-signing of git commits.
Step 3: Add GPG key to GitHub
Generate the GPG public key from the long form GPG key ID:
$ gpg --armor --export <GPG_KEY_ID>
Copy the output, then add it to your GitHub account.
Should be all set. Now try pushing a commit, and you should see that green "Verified" badge on commits or pull requests.