How to Verify Your Commits on GitHub
March 01, 2021
If you've ever needed to verify your commits, either for an open source project, or your employer, but not sure how then this is the guide for you!
I'll walk you through verifying your commits on GitHub for Linux.
To do this, follow these steps:
- Generate a GPG key using RSA with size of 4096 bitsgpg --full-generate-key
- Press enter to accept default RSA.
- Type in
- Enter length of time key should be vaid. Press enter to never expire.
- Verify everything looks Okay.
- Enter the same email used by your GitHub account and git config.
- Type in a secure password and save it somewhere.
- List the key with:gpg --list-secret-keys --keyid-format LONG
- Grab the key ID. In this example, the key ID is
99E91413F3F0F32A:➜ dotfiles git:(master) gpg --list-secret-keys --keyid-format LONGgpg: checking the trustdbgpg: marginals needed: 3 completes needed: 1 trust model: pgpgpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u/home/coder/.gnupg/pubring.kbx------------------------------sec rsa4096/99E91413F3F0F32A 2021-03-01 [SC]2E7C0CDB3335CA962145539d7F99E91413F3F0F32Auid [ultimate] Joe Previte <email@example.com>ssb rsa4096/FDAAA3AF85CEF1E0 2021-03-01 [E]
- Now run this command which will print the GPG key in ASCII armor format:
gpg --armor --export 99E91413F3F0F32A
- Copy the whole block to your clipboard. Then we'll add it to GitHub.
Now that we have the key, we need to tell GitHub about it.
- Go to Settings > New GPG Key
- Paste the key from the Step 1.
- Hit add key.
The key exists locally and GitHub knows about it. Now we need to tell our local git settings to use it.
- Remember the key we used above? Mine was
99E91413F3F0F32A. Get that.
git config --global user.signingkeyfollowed by your key.
- Tell git to automatically sign your commits withgit config --global commit.gpgsign true
The final step is to update your shell config file. This ensure the key is set as an environment variable for git and GPG to use.
- Open your
- Add this to the bottomexport GPG_TTY=$(tty)
- Restart your shell by running
If you try committing, you'll notice that GPG asks for your passphrase. But we don't want this. At least, we want to cache our passphrase so we don't have to enter it for every commit. To do that, follow these steps:
- Go to
~/.gnupg/gpg-agent.conf. If it doesn't exist, create it.
- Add this line:default-cache-ttl 360000
- Save and restart your shell again.
And that's it! You can verify that it's working by pushing any commit to any repo.
If you're having issues, I suggest taking a look at Troubleshooting GPG git commit signing.