Greg Rickaby

Full-Stack Developer

· 2 min read · #code

Enable verified commits on Github

Learn how to display a 'verified badge' next to your commits on Github.

When you work locally on your computer, Git allows you to set the author of your changes and the identity of the committer. This, potentially, makes it difficult for other people to be confident that commits and tags you create were actually created by you.

screenshot

Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can be confident that the changes come from a trusted source. To quote privex.io:

GnuPG (more commonly known as GPG) is an implementation of a standard known as PGP (Pretty Good Privacy). It uses a system of "public" and "private" keys for the encryption and signing of messages or data.

How to enable verified commits on Github

There are two tools available to help generate a GPG key pair:

  1. GUI based GPG Tools
  2. GPG CLI

Once you have one of those tools installed (or both) you can generate a key pair.

In the instructions below I will show both CLI and GUI options.

Create a new key using RSA 4096 encryption:

CLI

gpg --full-generate-key

GUI - GPG Tools

screenshot

Be sure to use the same email you use for Github (which much be verified!)

Retrieve your GPG Key ID:

CLI

gpg --list-secret-keys --keyid-format=long

This command will show you something similar to this:

$ gpg --list-secret-keys --keyid-format=long
/Users/gregrickaby/.gnupg/secring.gpg
------------------------------------
sec   4096R/3AA5C34371567BD2 2021-06-08 [expires: 2025-06-08]
uid                          Greg Rickaby
ssb   4096R/42B317FD4BA89E7A 2021-06-08

GUI - GPG Tools

Right-click on the columns bar, and select "Key ID" from the dropdown menu. The Key ID will now be shown as a column.

screenshot

Configure your local Git

Tell Git about your signing key with the command below. Swap out the ID with the one generated above.

CLI

git config --global user.signingkey [3AA5C34371567BD2]

GUI - Tower

Open Tower and go to Preferences > Git Config:

screenshot

Configure Github

  1. Visit https://github.com/settings/profile and look for "SSH & GPG Keys" in the sidebar
  2. Add new GPG key to your Github account Learn more
  3. Enable Vigilant Mode on Github Learn More

screenshot

Wrap Up

Nice! Your commits should now show up as "verified" on Github and you've taken an extra step toward a more secure Git workflow.

screenshot

· · ·