How to Verify Your Commits on GitHub
If you’ve ever needed to verify your commits, either for an open source project, or your employer, but not sure how then this is the guide for you!
I’ll walk you through verifying your commits on GitHub for Linux.
1. Create a GPG Key
To do this, follow these steps:
- Generate a GPG key using RSA with size of 4096 bits
- Press enter to accept default RSA.
- Type in
- Enter length of time key should be vaid. Press enter to never expire.
- Verify everything looks Okay.
- Enter the same email used by your GitHub account and git config.
- Type in a secure password and save it somewhere.
- List the key with:
gpg --list-secret-keys --keyid-format LONG
- Grab the key ID. In this example, the key ID is
➜ dotfiles git:(master) gpg --list-secret-keys --keyid-format LONG gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u /home/coder/.gnupg/pubring.kbx ------------------------------ sec rsa4096/99E91413F3F0F32A 2021-03-01 [SC] 2E7C0CDB3335CA962145539d7F99E91413F3F0F32A uid [ultimate] Joe Previte <email@example.com> ssb rsa4096/FDAAA3AF85CEF1E0 2021-03-01 [E]
- Now run this command which will print the GPG key in ASCII armor format:
gpg --armor --export 99E91413F3F0F32A
- Copy the whole block to your clipboard. Then we’ll add it to GitHub.
2. Add the GPG key to your GitHub account
Now that we have the key, we need to tell GitHub about it.
- Go to Settings > New GPG Key
- Paste the key from the Step 1.
- Hit add key.
3. Add key to local Git Settings
The key exists locally and GitHub knows about it. Now we need to tell our local git settings to use it.
- Remember the key we used above? Mine was
99E91413F3F0F32A. Get that.
git config --global user.signingkeyfollowed by your key.
- Tell git to automatically sign your commits with
git config --global commit.gpgsign true
The final step is to update your shell config file. This ensure the key is set as an environment variable for git and GPG to use.
- Open your
- Add this to the bottom
- Restart your shell by running
5. Cache passphrase
If you try committing, you’ll notice that GPG asks for your passphrase. But we don’t want this. At least, we want to cache our passphrase so we don’t have to enter it for every commit. To do that, follow these steps:
- Go to
~/.gnupg/gpg-agent.conf. If it doesn’t exist, create it.
- Add this line:
- Save and restart your shell again.
And that’s it! You can verify that it’s working by pushing any commit to any repo.
If you’re having issues, I suggest taking a look at Troubleshooting GPG git commit signing.