Have you ever wished your GitHub commits could have that prestigious "verified" badge, similar to the coveted blue tick on social media? While I can't help with Instagram verification, I can guide you through the process of verifying your GitHub commits. Verified commits not only add authenticity and security to your work but also showcase your professionalism. Let's dive in and get your commits verified!
What Are Verified Commits?
Verified commits are a way to ensure that the changes pushed to a repository are genuinely from you and haven't been tampered with by someone else. GitHub uses GPG (GNU Privacy Guard) to sign commits and tags, adding a layer of security and authenticity to your contributions.
Below is an example of how a verified commit looks.
Why Should You Use Verified Commits?
- Authenticity: Assures your collaborators and users that your commits are genuinely from you.
- Security: Prevents unauthorized changes and tampering.
- Professionalism: Adds credibility to your open-source projects.
The Problem with Unverified Commits
One significant issue with unverified commits is that anyone can pretend to be you by simply changing the git config settings. For example, someone can set their user.name and user.email to your details and make commits that appear to come from you. Without verification, these commits can mislead collaborators and compromise the integrity of your project.
An Example Scenario
Consider a situation where a friend makes a commit using your name and email address:
git config user.name "Your Name"
git config user.email "your.email@example.com"
Below commit was made using my friend's details from my account.
This commit will appear to be from you, but since you use verified commits, it will be tagged as Unverified on GitHub. This visual cue helps distinguish between genuine and potentially spoofed commits.
By using verified commits, you can ensure that only commits genuinely made by you carry the "Verified" badge, enhancing trust and authenticity.
How to Get Started with Verified Commits
Step 1: Install GPG
First, you need to install GPG on your system.
Windows: Download and install Gpg4win.
macOS: Use Homebrew to install GPG.
brew install gnupg
Linux: Use your package manager.
sudo apt-get install gnupg
Step 2: Check Existing GPG Keys
Before generating a new GPG key, check if you already have one.
gpg --list-secret-keys --keyid-format LONG
This command lists all the GPG keys available on your system along with their details. If you find an existing key you'd like to use, you can skip to adding this key to GitHub.
Step 3: Generate a GPG Key
If you don't have an existing GPG key or want to create a new one, generate a new GPG key.
gpg --full-generate-key
Follow the prompts to set up your key. Choose RSA and RSA (default), key size of 4096 bits, and set a validity period if you prefer. Enter your name and email address (use the same email address associated with your GitHub account).
Step 4: Retrieve Your GPG Key ID
After generating the key, retrieve your GPG key ID.
gpg --list-secret-keys --keyid-format LONG
You'll see an output similar to this:
/home/user/.gnupg/secring.gpg
------------------------------
sec 4096R/ABC123456789DEF0 2024-01-01 [expires: 2025-01-01]
uid Your Name <your.email@example.com>
ssb 4096R/0987654321ABCDEF 2024-01-01
Copy the long string after sec (in this case, ABC123456789DEF0).
Step 5: Add Your GPG Key to GitHub
Export your GPG key and add it to your GitHub account.
gpg --armor --export ABC123456789DEF0
Copy the output and go to GitHub > Settings > SSH and GPG keys > New GPG key. Paste the key there and save it.
Step 6: Configure Git to Use Your GPG Key
Tell Git to sign your commits with your GPG key.
git config --global user.signingkey ABC123456789DEF0
To sign all your commits by default, add this to your global Git configuration.
git config --global commit.gpgSign true
Step 7: Verify Your Signed Commits
Now, every time you commit, Git will sign the commit with your GPG key. You can verify that your commits are signed and verified on GitHub by looking for the "Verified" badge next to your commits.
Troubleshooting
If you encounter issues, ensure that your GPG key is correctly associated with your GitHub email and that you've configured Git correctly. You may also need to cache your GPG passphrase to avoid entering it every time you commit.
echo "use-agent" >> ~/.gnupg/gpg.conf
echo "default-cache-ttl 28800" >> ~/.gnupg/gpg-agent.conf
echo "max-cache-ttl 28800" >> ~/.gnupg/gpg-agent.conf
Restart the GPG agent to apply the changes.
gpgconf --kill gpg-agent
gpgconf --launch gpg-agent
Conclusion
Adding GPG signatures to your commits is a great way to enhance the security and authenticity of your contributions on GitHub. It assures others that your work is genuinely yours and hasn't been tampered with. Follow these steps to get your commits verified and add that extra layer of credibility to your projects.
Top comments (3)
Insightful, it is 🌻. Thanks for the blog
Good post
Thanks