Motivation
Github's verified commits may be useful especially, when you are making open source software.
It is warrant that person who is signing commit made it.
Github commits are very easy to change since they are not secured like for example bitcoin's blockchain is.
How To?
If you are on mac first install gpg using homebrew
brew install gpg
...after some ☕️ break
gpg --default-new-key-algo rsa4096 --gen-key
- Type name and last name
- Type email address 📧
- Type password twice
Should generate keys:
pub rsa4096 2020-07-29 [SC] [wygasa: 2022-07-29]
688BA86A3C51E5A1350986EFD63EC3228BD83581
uid Grzegorz Kucmierz <gkucmierz@gmail.com>
ls ~/.gnupg
. S.gpg-agent.extra pubring.kbx
.. S.gpg-agent.ssh pubring.kbx~
S.gpg-agent openpgp-revocs.d trustdb.gpg
S.gpg-agent.browser private-keys-v1.d
List your keys
gpg --list-secret-keys
Add to Github
Export public key:
gpg --armor --export
My key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF8hjOABEADZ7jdgzQGVojVhZhJrAEU1mwUSjDjSPvhefSRBFbGCLYVcr2wj
KgX67uTeE5YRNUuws/Pc1/6MUdDmoY5Auw01nrRKI5wcBAFQlx/d4uiA3tgl32PD
6pDOY0X0fSEdRQlw0CInElMPy8oyhAXQKW+vWc6sEoVhvNcbBVSUI+SrtlFurzXM
nptP5asckDV+zFfX9tgzBP6ehe8a8I2qNe8+APnNeiNbXfNRDOvIBO8HYbJyDhxw
RZ2R2hMmYTzQ9q8jo/udGs8xR9yT23XUhJfI/lXbHtELXhW7p5TRKgwbpDAA41vz
JQQzsQ9dwE82qgB7N5u4pwVui6bHxqotvkXliIW7miL7WLODmPY3yliOnEKrgWWX
WDmgQ5+6FRKtK0G+B0kY2t6Y+wn5JIhf+NupFob19GYWwm7Z6QwvDxUYwpgvHrVa
Zt6KW1EWOlvxd+F0iU2I/pns+VJrNrmNCkoCGh1TYt3VGYbMLBFOivugbOZF62sl
cHjEeAJQnQklHo70c2c96kmjEd2IXFQl3+2H9neYIy/fVj55xbqNUWWLZh/vKJfK
d2FaMHeCOf49xVuhvKDSNWJPOezAVaAMyGBrUUcAioEGApkIjcyR48rN1QXR+ER0
MCmz7h+l0O1gzUMb4f2xdtIG8HATFg+c7lsNCjRY43FBPpif4TKMp3weKwARAQAB
tCdHcnplZ29yeiBLdWNtaWVyeiA8Z2t1Y21pZXJ6QGdtYWlsLmNvbT6JAlQEEwEI
AD4WIQRoi6hqPFHloTUJhu/WPsMii9g1gQUCXyGM4AIbAwUJA8JnAAULCQgHAgYV
CgkICwIEFgIDAQIeAQIXgAAKCRDWPsMii9g1gdEbD/9ChsKsAPcothdmi65hmTsP
WX7YOdY5aZufv88B3J+TJCAAUvhob3mAZ9wZMur6VHKCu4ZSsxYBX/2VDsCql9R5
WlEBwM8vpQKJm5sDd7PxPX7TfShcGdsSpW7wC1T9k8gFDSMOaLiS5Vqni/JXzJ9l
c4VnhctyWYnb9v3Si1vGSWKi2foArfhBVxmnIY5TuujxdgAXuqzaS/FAvsiSAJod
8WI3pmEwzwSEQnYEwxXLN46ZISTQOSONBT9L4Sqq7DQ1M4d3h+iQ0fw8qov+Av52
4KSUSVwQO7G292Kek+Ted5se7D0xzHVdZTrG3QuEH2nTx7FvGjGKNCjwjNNttbpy
pSPM1x7Thnn+umdh30KXLlwiDBKsNVXd0/M3G0+bDd6EMm8tixwPaTj5rAUnV66r
AGwYTtdpKHEIJQCEQJ4Vchrl3VcHXPMYpzB+xHpZ07D1elis3EIK5Px/chUhb5NE
af6+H5FWDE0k1MQcRkvdkmEMZ2gb553eZRNr0l9cettHTE2KON6BTrWd9iJCUVfX
G5UzV5KOz5xXiznjLp7aTc7Fd1Fm66p+x7xpZj3/0dyLi4or3oK68HKFF+HMOLXt
xTpq2rYf0QHFewMZmxvx9Zfr1BE5coz0Ij3a8TURaDWZxWGKeLJn9AAybTYt7tkY
XprPzBNEKFtmQGhrTM4NXg==
=ny2O
-----END PGP PUBLIC KEY BLOCK-----
Go to Github's settings:
Copy/Paste key to your Github form under SSH and GPG keys category
Your key should be added now:
Setup local git
Check your key 🔑 id:
gpg --list-secret-keys --keyid-format LONG
sec rsa4096/D63EC3228BD83581 2020-07-29 [SC] [wygasa: 2022-07-29]
688BA86A3C51E5A1350986EFD63EC3228BD83581
uid [ absolutne ] Grzegorz Kucmierz <gkucmierz@gmail.com>
Add it in git config:
git config --global user.signingkey D63EC3228BD83581
And export GPG_TTY variable in your .profile file
In my case .zshrc
echo 'export GPG_TTY=$(tty)' >> ~/.zshrc
Now you need to add -S flag to your commit
git commit -m "testing verified commit" -S
And your commit should be signed now:
Sign all commits by default
Just change global git config
git config --global commit.gpgSign true
Top comments (3)
I already sign my commits and doing:
It's key to prevent some errors.
Great post. Thanks for sharing!
Good read, thanks, do You have any idea how to manage in easy way how to deal with more than one Github's account on one machine - in context of having two verified accounts?
Good question!
signingkeyis added in[user]sectionI am not sure but I think you should be able to add multiple
[user]sections.Check git docs for more details: git-scm.com/docs/git-config