DEV Community

Cover image for How to Verify Your Git Commits and Tags with GPG: A Step-by-Step Guide
Fahim Faisaal
Fahim Faisaal

Posted on • Edited on

How to Verify Your Git Commits and Tags with GPG: A Step-by-Step Guide

#webdev #git #gpg #signature

In the world of open source and collaborative development, identity is everything. When you see a commit from torvalds on the Linux kernel, how do you know it's actually Linus Torvalds and not an impersonator?

The answer is GPG signing.

By signing your commits with a GPG (GNU Privacy Guard) key, you cryptographically verify that the code came from you and hasn't been altered. GitHub (and GitLab) rewards this with a shiny green "Verified" badge.

Here is a straightforward guide to setting this up.

1. Install GPG

First, you need the GPG tool installed on your machine.

macOS (Homebrew):

brew install gnupg
Enter fullscreen mode Exit fullscreen mode

Linux (Debian/Ubuntu/Pop!_OS):

sudo apt install gnupg
Enter fullscreen mode Exit fullscreen mode

Windows:
Download and install Gpg4win.

2. Generate a GPG Key

Run the following command to generate a new key pair.

gpg --batch --passphrase "" --quick-gen-key "Your Name <your_email@example.com>" rsa4096 default never
Enter fullscreen mode Exit fullscreen mode

3. Get Your Key ID

Once generated, list your keys to find the Key ID:

gpg --list-secret-keys --keyid-format LONG
Enter fullscreen mode Exit fullscreen mode

Output example:

sec   rsa4096/3AA5C34371567BD2 2024-01-01 [SC]
      ...
uid                 [ultimate] John Doe <john@example.com>
Enter fullscreen mode Exit fullscreen mode

In this example, 3AA5C34371567BD2 is your Key ID.

4. Tell Git About Your Key

Now configure Git to use this key for signing.

Set the key:

git config --global user.signingkey 3AA5C34371567BD2
Enter fullscreen mode Exit fullscreen mode

(Replace 3AA5C34371567BD2 with your actual Key ID)

Enable automatic signing (Optional but recommended):
This ensures every commit you make is signed by default.

git config --global commit.gpgsign true
Enter fullscreen mode Exit fullscreen mode

5. Add Your Public Key to GitHub

Git knows about your key, but GitHub doesn't yet.

1. Export your public key:

gpg --armor --export 3AA5C34371567BD2
Enter fullscreen mode Exit fullscreen mode

2. Copy the output:
Copy the entire block (including -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END...).

3. Add to GitHub:

  1. Go to Settings > SSH and GPG keys.
  2. Click New GPG key.
  3. Paste your key and save.

6. Verify It Works

Make a commit in any repository:

git commit -m "My first signed commit"
Enter fullscreen mode Exit fullscreen mode

Push it to GitHub. You should now see the verified badge next to your commit in the history!

Verified Badge Example

Troubleshooting

If you see "Unverified":

  1. Check that the email in git config user.email matches the email in your GPG key.
  2. Ensure that exact email is added and verified in your GitHub account settings.

Top comments (0)