How to add the “Verified” badge to commits on GitHub

Have you ever noticed the green color “verified” badge in front of the commits that you have created on GitHub, such as pull requests merge commits? It is a indication of signed commits. By signing commits you can prove that the commit is came from you and wasn’t altered while transferring it.

Image credit: Rush Hour 3 (2007)

You can configure your local development environment to sign all of your commits, and here is how. Please note that following steps are specific for Windows environment and you can do the same with Linux environment with similar tools.

Open Git Bash and check for existing GPG keys with following command. It will list down all GPG keys which you have both a public and private key.

gpg --list-secret-keys --keyid-format LONG

If you don’t have any previously generated GPG keys in your system, you have to create one! For that, run following command and follow the instructions. You can create a 4096 bits long RSA key with your ID information.

gpg --full-generate-key

Now, when you run the above command to list existing GPG keys, you should get a similar output to the following. From the list of GPG keys, copy the GPG key ID you’d like to use. In this example, the GPG key ID is 28288B34EEB193D4:

C:/Users/CHATHURA/AppData/Roaming/gnupg/pubring.kbx
---------------------------------------------------
sec rsa4096/28288B34EEB193D4 2021-04-26 [SC]
F471566C276889DE9E06DBEA33288B46ETF193D4
uid [ultimate] chathurabuddi (Chathura Buddhika) <contact@chathurabuddi.lk>
ssb rsa4096/4C99BA0B684D538C 2021-04-26 [E]

Now run the following command by replacing the copied GPG key ID. This will print the GPG key ID in ASCII armor format.

gpg --armor --export 28288B34EEB193D4

Copy your GPG key, beginning with —--BEGIN PGP PUBLIC KEY BLOCK--- and ending with ---END PGP PUBLIC KEY BLOCK---.

Now login to GitHub and navigate to “Settings” → “SSH and GPG keys”. Click on “New GPG key” and add your generated GPG key.

To sign commits locally, you need to inform Git that there’s a GPG key you’d like to use. To set your GPG signing key in Git, run the following command by replacing the copied GPG key ID in the previous step.

git config --global user.signingkey 28288B34EEB193D4

Then you can set following configurations to automatically sign commits.

git config --global commit.gpgsign true

All done! Next time when you do sign your commits, GitHub will be able to verify the signature against your public key and add the green “Verified” tag that denotes that the commit came from you.

Chathura Buddhika ~ Java-Developer & Graphic-Designer