DEV Community


Posted on

Unverified, Partially and Verified Commits



GitHub is a pretty awesome platform for sharing code. One of the best VCS(Version control Systems) in the world. Being a distributed version control system, it enables you to share code with other developers from your local communities and across the globe. With GitHub, you can create a repository, upload files, and commit your changes.
unverified, partially and verified commits

With all these features, contributing to a project on GitHub and can at times include so many people in the same project and proper identification of the contributors is a must. Commits identification on GitHub is is done using a GPG signature.

What is a GPG signature?

The GPG(GNU Privacy Guard) signature is a digital signature that is generated using a GPG key. GPG signatures are widely used by Linux package managers such as apt to verify the integrity of downloaded files. GPG signatures are also used by GitHub to verify the integrity of commits. As seen above on the picture above the types of commits Partial, Unverified and Verified commits. Let's see how to verify the commits.

Verifying the commits

Generating a GPG key

A commit is verified when the commit is signed by a GPG key. GitHub Blog explains how to generate a GPG key.

  1. Go to GPG command line tools for your respective operating system and install it.
  2. On your terminal, type the following command to generate a GPG key.
$ gpg --full-generate-key
Enter fullscreen mode Exit fullscreen mode
  1. At the prompt, specify the kind of key you want, or press Enter to accept the default.
  2. At the prompt, specify the key size you want, or press Enter to accept the default. Your key must be at least 4096 bits.
  3. Enter the length of time the key should be valid. Press Enter to specify the default selection, indicating that the key doesn't expire or something else depending on your preference.
  4. Verify that your selections are correct.
  5. Enter your user ID information i.e. GitHub username, email and token.
  6. Type a secure passphrase.
  7. Use the gpg --list-secret-keys --keyid-format=long command to list the long form of the GPG keys for which you have both a public and private key. A private key is required for signing commits or tags.
$ gpg --list-secret-keys --keyid-format=long
Enter fullscreen mode Exit fullscreen mode
  1. From the list of GPG keys, copy the long form of the GPG key ID you'd like to use. In this example, the GPG key ID is 3*4*6*1*5*8...:
$ gpg --list-secret-keys --keyid-format=long
sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid                          Hubot 
ssb   4096R/42B317FD4BA89E7A 2016-03-10
Enter fullscreen mode Exit fullscreen mode
  1. Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.
  2. Next, Add the GPG key to your GitHub account

Adding a GPG key to your GitHub account

  1. Go to your GitHub account and click on Settings then go to the Access section from the side navbar.
    GitHub GPG gen1

  2. After clicking on the SSH and GPG keys link, click on the New GPG button.
    GitHub GPG gen1

  3. Following the step 10 of the Generating a GPG key Paste the GPG key in the text area and click on the Save button.

GPG out

  1. To confirm the action, enter your GitHub password.


With all this setting you're sure of making good and authenticate commits from both your computer and GitHub. You can now commit to your GitHub repository. Thanks for going through this tutorial.

Top comments (0)