Have you ever noticed the green color “verified” badge in front of the commits that you have created on GitHub, such as pull requests merge commits? It is a indication of signed commits. By signing commits you can prove that the commit is came from you and wasn’t altered while transferring it.
You can configure your local development environment to sign all of your commits, and here is how. Please note that following steps are specific for Windows environment and you can do the same with Linux environment with similar tools.
Check for existing GPG keys
Git Bash and check for existing GPG keys with following command. It will list down all GPG keys which you have both a public and private key.
gpg --list-secret-keys --keyid-format LONG
Generate new GPG key
If you don’t have any previously generated GPG keys in your system, you have to create one! For that, run following command and follow the instructions. You can create a 4096 bits long RSA key with your ID information.
Now, when you run the above command to list existing GPG keys, you should get a similar output to the following. From the list of GPG keys, copy the GPG key ID you’d like to use. In this example, the GPG key ID is
sec rsa4096/28288B34EEB193D4 2021-04-26 [SC]
uid [ultimate] chathurabuddi (Chathura Buddhika) <email@example.com>
ssb rsa4096/4C99BA0B684D538C 2021-04-26 [E]
Now run the following command by replacing the copied GPG key ID. This will print the GPG key ID in ASCII armor format.
gpg --armor --export 28288B34EEB193D4
Copy your GPG key, beginning with
—--BEGIN PGP PUBLIC KEY BLOCK--- and ending with
---END PGP PUBLIC KEY BLOCK---.
Now login to GitHub and navigate to “Settings” → “SSH and GPG keys”. Click on “New GPG key” and add your generated GPG key.
Configure Git for use generated GPG key
To sign commits locally, you need to inform Git that there’s a GPG key you’d like to use. To set your GPG signing key in Git, run the following command by replacing the copied GPG key ID in the previous step.
git config --global user.signingkey 28288B34EEB193D4
Then you can set following configurations to automatically sign commits.
git config --global commit.gpgsign true
All done! Next time when you do sign your commits, GitHub will be able to verify the signature against your public key and add the green “Verified” tag that denotes that the commit came from you.