DEV Community

Cover image for How to Verify Your Git Commits with GPG: A Step-by-Step Guide
Fahim Faisaal
Fahim Faisaal

Posted on

How to Verify Your Git Commits with GPG: A Step-by-Step Guide

#webdev #git #gpg #signature

In the world of open source and collaborative development, identity is everything. When you see a commit from torvalds on the Linux kernel, how do you know it's actually Linus Torvalds and not an impersonator?

The answer is GPG signing.

By signing your commits with a GPG (GNU Privacy Guard) key, you cryptographically verify that the code came from you and hasn't been altered. GitHub (and GitLab) rewards this with a shiny green "Verified" badge.

Here is a straightforward guide to setting this up.

1. Install GPG

First, you need the GPG tool installed on your machine.

macOS (Homebrew):

brew install gnupg
Enter fullscreen mode Exit fullscreen mode

Linux (Debian/Ubuntu/Pop!_OS):

sudo apt install gnupg
Enter fullscreen mode Exit fullscreen mode

Windows:
Download and install Gpg4win.

2. Generate a GPG Key

Run the following command to generate a new key pair.

gpg --full-generate-key
Enter fullscreen mode Exit fullscreen mode

You will be prompted to make some choices:

  1. Kind of key: Choose (1) RSA and RSA (default).
  2. Key size: Choose 4096.
  3. Expiration: Choose 0 (key does not expire), unless you have a specific security policy.
  4. Real Name: Enter your full name.
  5. Email Address: Crucial! This MUST match your GitHub verified email address.
  6. Passphrase: Set a strong password to protect your private key.

3. Get Your Key ID

Once generated, list your keys to find the Key ID:

gpg --list-secret-keys --keyid-format LONG
Enter fullscreen mode Exit fullscreen mode

Output example:

sec   rsa4096/3AA5C34371567BD2 2024-01-01 [SC]
      ...
uid                 [ultimate] John Doe <john@example.com>
Enter fullscreen mode Exit fullscreen mode

In this example, 3AA5C34371567BD2 is your Key ID.

4. Tell Git About Your Key

Now configure Git to use this key for signing.

Set the key:

git config --global user.signingkey 3AA5C34371567BD2
Enter fullscreen mode Exit fullscreen mode

(Replace 3AA5C34371567BD2 with your actual Key ID)

Enable automatic signing (Optional but recommended):
This ensures every commit you make is signed by default.

git config --global commit.gpgsign true
Enter fullscreen mode Exit fullscreen mode

5. Add Your Public Key to GitHub

Git knows about your key, but GitHub doesn't yet.

1. Export your public key:

gpg --armor --export 3AA5C34371567BD2
Enter fullscreen mode Exit fullscreen mode

2. Copy the output:
Copy the entire block (including -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END...).

3. Add to GitHub:

  1. Go to Settings > SSH and GPG keys.
  2. Click New GPG key.
  3. Paste your key and save.

6. Verify It Works

Make a commit in any repository:

git commit -m "My first signed commit"
Enter fullscreen mode Exit fullscreen mode

Push it to GitHub. You should now see the verified badge next to your commit in the history!

Verified Badge Example

Troubleshooting

If you see "Unverified":

  1. Check that the email in git config user.email matches the email in your GPG key.
  2. Ensure that exact email is added and verified in your GitHub account settings.

Top comments (0)