When you work locally on your computer, Git allows you to set the author of your changes and the identity of the committer. This, potentially, makes it difficult for other people to be confident that commits and tags you create were actually created by you.
Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can be confident that the changes come from a trusted source. To quote privex.io:
GnuPG (more commonly known as GPG) is an implementation of a standard known as PGP (Pretty Good Privacy). It uses a system of "public" and "private" keys for the encryption and signing of messages or data.
How to enable verified commits on Github
There are two tools available to help generate a GPG key pair:
Once you have one of those tools installed (or both) you can generate a key pair.
In the instructions below I will show both CLI and GUI options.
Create a new key using RSA 4096 encryption:
GUI - GPG Tools
Be sure to use the same email you use for Github (which much be verified!)
Retrieve your GPG Key ID:
gpg --list-secret-keys --keyid-format=long
This command will show you something similar to this:
$ gpg --list-secret-keys --keyid-format=long /Users/gregrickaby/.gnupg/secring.gpg ------------------------------------ sec 4096R/3AA5C34371567BD2 2021-06-08 [expires: 2025-06-08] uid Greg Rickaby ssb 4096R/42B317FD4BA89E7A 2021-06-08
GUI - GPG Tools
Right-click on the columns bar, and select "Key ID" from the dropdown menu. The Key ID will now be shown as a column.
Configure your local Git
Tell Git about your signing key with the command below. Swap out the ID with the one generated above.
git config --global user.signingkey [3AA5C34371567BD2]
GUI - Tower
Open Tower and go to Preferences > Git Config:
- Visit https://github.com/settings/profile and look for "SSH & GPG Keys" in the sidebar
- Add new GPG key to your Github account Learn more
- Enable Vigilant Mode on Github Learn More
Nice! Your commits should now show up as "verified" on Github and you've taken an extra step toward a more secure Git workflow.