When working with Git and GitHub, you may notice a “Verified” badge on some commits. This badge means the commit was cryptographically signed, proving it truly came from the author and wasn’t tampered with.
In this article, you’ll learn how to set up GPG keys for an existing GitHub account and start signing your commits.
What Is a GPG Key and Why It Matters?
GPG (GNU Privacy Guard) is a tool used to:
- Digitally sign commits and tags
- Prove authorship and integrity
- Improve security and trust in collaborative projects
Benefits of signing commits:
- Your commits show as Verified on GitHub
- Protects against commit spoofing
- Builds credibility as a developer
Prerequisites
Before you begin, make sure you have:
- A GitHub account
- Git installed
- GPG installed on your system
Terminal access
Step 1: Check If GPG Is Installed
Run this command:
gpg --version
If GPG is not installed:
Ubuntu / Debian
sudo apt update && sudo apt install gnupg
macOS (Homebrew)
brew install gnupg
Windows
Install Gpg4win from the official site.
Step 2: Generate a New GPG Key
Run:
gpg --full-generate-key
When prompted:
Key type: RSA and RSA
Key size: 4096
Expiration: Choose what works for you (e.g., 1y or 0 for no expiry)
Name & Email:
Use the same email address as your GitHub account
Passphrase: Use a strong one (don’t forget it)
After completion, your GPG key is created
Step 3: List Your GPG Keys and Copy the Key ID
Run:
gpg --list-secret-keys --keyid-format=long
Example output:
/home/nyaugenya/.gnupg/pubring.kbx
----------------------------------
sec rsa3072/CBC3C9CAC3450592 2025-12-17 [SC] [expires: 2027-12-17]
DD88627124BA164FD7D531C8CBC3C9CAC3450592
uid [ultimate] nyaugenya (go!!!) <odhiamborose466@gmail.com>
ssb rsa3072/4DB25F105F5D7F76 2025-12-17 [E] [expires: 2027-12-17]
Copy the key ID after rsa4096/
Example: DD88627124BA164FD7D531C8CBC3C9CAC3450592
Step 4: Export the GPG Public Key
Run:
gpg --armor --export DD88627124BA164FD7D531C8CBC3C9CAC3450592
Copy everything, including:
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----
Step 5: Add the GPG Key to GitHub
- Go to GitHub → Settings
- Click SSH and GPG keys
- Under GPG keys, click New GPG key
- Paste the copied key
- Click Add GPG key
_GitHub now knows your signing key
_
Step 6: Tell Git to Use Your GPG Key
Configure Git with your key ID:
git config --global user.signingkey DD88627124BA164FD7D531C8CBC3C9CAC3450592
Enable commit signing by default:
git config --global commit.gpgsign true
Make sure your Git email matches GitHub:
git config --global user.email "odhiamborose466@gmail.com"
Git to automatically GPG-sign all tags you create
git config --global tag.gpgSign true
Step 7: (Linux) Fix “GPG Failed to Sign the Data” Error
If you see this error, run:
export GPG_TTY=$(tty)
To make it permanent:
echo 'export GPG_TTY=$(tty)' >> ~/.bashrc
Then reload:
source ~/.bashrc
Step 8: Make a Signed Commit
Create a commit:
git commit -m "My first signed commit"
Or explicitly sign:
git commit -S -m "Signed commit"
Push your changes:
git push
Top comments (0)