Why did you need to sign your commit?

Let’s talk about why it’s important to sign your Git commits. While this isn’t an exhaustive list, here are some key reasons why you should consider doing it.

  1. Any commit you make that’s signed with your verified key will display a special “verified” badge. This badge assures others that the code you pushed is authentic and comes directly from you.
  2. Many open-source projects insist on signed commits as a way to protect the integrity of their code. It’s a safeguard against unauthorized changes or tampering.
  3. Signing your commits isn’t technically mandatory, but it’s a best practice that signals to others that you’re serious about your work and follow industry standards.

Requirements

In this tutorial, we’ll use a Linux system, but don’t worry if you’re on a different operating system. You can find similar or equivalent tools to accomplish the same tasks.

  • GitHub account
  • Git tool
  • GNU Privacy Guard (GPG)

Short Version

  1. Get your Github Alias from this page Github Settings.
  2. Generate a new GPG key:
gpg --full-generate-key
  1. Get the new Key ID:
gpg --list-secret-keys --keyid-format=long
  1. Export the public key:
gpg --armor --export <KEY ID>
  1. Add the public key to Github GPG Settings.

  2. Jump into your git repository locally and add the settings to sign:

git config commit.gpgsign true
git config user.signingkey <KEY ID>
  1. Create a new commit and push it:
git commit -S -m "<your commit message>"
  1. Verify the badge on the commit via Github.

Long Story

First things first, we need to find your GitHub alias email. You can get this by visiting the following page: Github Settings.

Under Primary email address section you can find the alias email, it will end with @users.noreply.github.com

Email alias

We need to generate a new GPG key for that email using:

gpg --full-generate-key

You can choose from a few different algorithms listed here Github Supported Key Algorithms.

While there are a few options, I recommend sticking with RSA for its balance of security and compatibility.

Please select what kind of key you want:
 (1) RSA and RSA
 (2) DSA and Elgamal
 (3) DSA (sign only)
 (4) RSA (sign only)
 (9) ECC (sign and encrypt) *default*
 (10) ECC (sign only)
 (14) Existing key from card
Your selection? 1                                           <---- Select 1

You have the flexibility to choose any key bit size you prefer. That said, I recommend going with 4096 bits for optimal security.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096                       <---- Insert 4096

Please select your desired expiration date from the options below.

Please specify how long the key should be valid.
 0 = key does not expire
 <n>  = key expires in n days
 <n>w = key expires in n weeks
 <n>m = key expires in n months
 <n>y = key expires in n years
Key is valid for?

Provide your complete name, the email address associated with your GitHub account, and a short note about what this key is for.

Real name: <YOUR NAME OR THE ACCOUNT NAME> 
Email address: <GITHUB ALIAS EMAIL>
Comment: <A PERSONAL COMMENT FOR THIS KEY>

Next, you’ll be prompted to confirm the key generation. Before you type the key to confirm, make sure to create a strong password/passphrase for your key.

The following step is to retrieve your public key and integrate it into your GitHub profile. Run this command below

gpg --list-secret-keys --keyid-format=long

The key ID is located after the key bit long part on the first line. For me, the keyid is just 1FD2435626D45D46.

GPG KeyID

Export the public key using this command below:

gpg --armor --export <KEYID>

Copy the output and insert it into this page Github GPG Page and save it.

Let’s head over to the repository folder. From there, you can run these commands.

git config commit.gpgsign true
git config user.signingkey <KEY ID>
Git config

Next, create a new commit. To ensure proper signing, include the ‘-S’ flag in your commit message and push it.

git commit -S -m "<COMMIT MESSAGE>"

Go to the commit history on GitHub and check if there’s a verified badge to the commit.

Git Badge