loading...
Cover image for How to make my git contributions verified?

How to make my git contributions verified?

gkucmierz profile image Grzegorz Kućmierz ・2 min read

Motivation

Github's verified commits may be useful especially, when you are making open source software.

It is warrant that person who is signing commit made it.
Github commits are very easy to change since they are not secured like for example bitcoin's blockchain is.

How To?

If you are on mac first install gpg using homebrew

brew install gpg

...after some ☕️ break

gpg --default-new-key-algo rsa4096 --gen-key
  • Type name and last name
  • Type email address 📧
  • Type password twice

Should generate keys:

pub   rsa4096 2020-07-29 [SC] [wygasa: 2022-07-29]
      688BA86A3C51E5A1350986EFD63EC3228BD83581
uid                      Grzegorz Kucmierz <gkucmierz@gmail.com>
ls  ~/.gnupg
.           S.gpg-agent.extra   pubring.kbx
..          S.gpg-agent.ssh     pubring.kbx~
S.gpg-agent     openpgp-revocs.d    trustdb.gpg
S.gpg-agent.browser private-keys-v1.d

List your keys
gpg --list-secret-keys

Add to Github

Export public key:

gpg --armor --export

My key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF8hjOABEADZ7jdgzQGVojVhZhJrAEU1mwUSjDjSPvhefSRBFbGCLYVcr2wj
KgX67uTeE5YRNUuws/Pc1/6MUdDmoY5Auw01nrRKI5wcBAFQlx/d4uiA3tgl32PD
6pDOY0X0fSEdRQlw0CInElMPy8oyhAXQKW+vWc6sEoVhvNcbBVSUI+SrtlFurzXM
nptP5asckDV+zFfX9tgzBP6ehe8a8I2qNe8+APnNeiNbXfNRDOvIBO8HYbJyDhxw
RZ2R2hMmYTzQ9q8jo/udGs8xR9yT23XUhJfI/lXbHtELXhW7p5TRKgwbpDAA41vz
JQQzsQ9dwE82qgB7N5u4pwVui6bHxqotvkXliIW7miL7WLODmPY3yliOnEKrgWWX
WDmgQ5+6FRKtK0G+B0kY2t6Y+wn5JIhf+NupFob19GYWwm7Z6QwvDxUYwpgvHrVa
Zt6KW1EWOlvxd+F0iU2I/pns+VJrNrmNCkoCGh1TYt3VGYbMLBFOivugbOZF62sl
cHjEeAJQnQklHo70c2c96kmjEd2IXFQl3+2H9neYIy/fVj55xbqNUWWLZh/vKJfK
d2FaMHeCOf49xVuhvKDSNWJPOezAVaAMyGBrUUcAioEGApkIjcyR48rN1QXR+ER0
MCmz7h+l0O1gzUMb4f2xdtIG8HATFg+c7lsNCjRY43FBPpif4TKMp3weKwARAQAB
tCdHcnplZ29yeiBLdWNtaWVyeiA8Z2t1Y21pZXJ6QGdtYWlsLmNvbT6JAlQEEwEI
AD4WIQRoi6hqPFHloTUJhu/WPsMii9g1gQUCXyGM4AIbAwUJA8JnAAULCQgHAgYV
CgkICwIEFgIDAQIeAQIXgAAKCRDWPsMii9g1gdEbD/9ChsKsAPcothdmi65hmTsP
WX7YOdY5aZufv88B3J+TJCAAUvhob3mAZ9wZMur6VHKCu4ZSsxYBX/2VDsCql9R5
WlEBwM8vpQKJm5sDd7PxPX7TfShcGdsSpW7wC1T9k8gFDSMOaLiS5Vqni/JXzJ9l
c4VnhctyWYnb9v3Si1vGSWKi2foArfhBVxmnIY5TuujxdgAXuqzaS/FAvsiSAJod
8WI3pmEwzwSEQnYEwxXLN46ZISTQOSONBT9L4Sqq7DQ1M4d3h+iQ0fw8qov+Av52
4KSUSVwQO7G292Kek+Ted5se7D0xzHVdZTrG3QuEH2nTx7FvGjGKNCjwjNNttbpy
pSPM1x7Thnn+umdh30KXLlwiDBKsNVXd0/M3G0+bDd6EMm8tixwPaTj5rAUnV66r
AGwYTtdpKHEIJQCEQJ4Vchrl3VcHXPMYpzB+xHpZ07D1elis3EIK5Px/chUhb5NE
af6+H5FWDE0k1MQcRkvdkmEMZ2gb553eZRNr0l9cettHTE2KON6BTrWd9iJCUVfX
G5UzV5KOz5xXiznjLp7aTc7Fd1Fm66p+x7xpZj3/0dyLi4or3oK68HKFF+HMOLXt
xTpq2rYf0QHFewMZmxvx9Zfr1BE5coz0Ij3a8TURaDWZxWGKeLJn9AAybTYt7tkY
XprPzBNEKFtmQGhrTM4NXg==
=ny2O
-----END PGP PUBLIC KEY BLOCK-----

Go to Github's settings:

Alt Text

Copy/Paste key to your Github form under SSH and GPG keys category

Alt Text

Your key should be added now:

Alt Text

Setup local git

Check your key 🔑 id:

gpg --list-secret-keys --keyid-format LONG
sec   rsa4096/D63EC3228BD83581 2020-07-29 [SC] [wygasa: 2022-07-29]
      688BA86A3C51E5A1350986EFD63EC3228BD83581
uid          [   absolutne   ] Grzegorz Kucmierz <gkucmierz@gmail.com>

Add it in git config:

git config --global user.signingkey D63EC3228BD83581

And export GPG_TTY variable in your .profile file

In my case .zshrc

echo 'export GPG_TTY=$(tty)' >> ~/.zshrc

Now you need to add -S flag to your commit

git commit -m "testing verified commit" -S

And your commit should be signed now:

Alt Text

Sign all commits by default

Just change global git config

git config --global commit.gpgSign true

Posted on by:

gkucmierz profile

Grzegorz Kućmierz

@gkucmierz

"Tell Me and I Forget; Teach Me and I May Remember; Involve Me and I Learn"

Discussion

pic
Editor guide
 

I already sign my commits and doing:

export GPG_TTY=$(tty)

It's key to prevent some errors.

Great post. Thanks for sharing!

 

Good read, thanks, do You have any idea how to manage in easy way how to deal with more than one Github's account on one machine - in context of having two verified accounts?

 

Good question!

signingkey is added in [user] section

gitconfig

I am not sure but I think you should be able to add multiple [user] sections.

Check git docs for more details: git-scm.com/docs/git-config