How to add the “Verified” badge to your commits in the GitHub
Have you ever noticed the green color “verified” badge in front of the commits that you have created on GitHub, such as pull requests and merge commits? It is an indication of signed commits. By signing commits you can prove that your commit is coming from you and wasn’t altered while transferring it.
You can configure your local development environment to sign all of your commits, and here is how.
Please note that following steps are specific for Windows environment and you can do the same with Linux environment with similar tools.
Check for existing GPG keys
Git Bash and check for existing GPG keys with following command. It will list down all GPG keys which you have both a public and private key.
gpg --list-secret-keys --keyid-format LONG
Generate new GPG key
If you don’t have any previously generated GPG keys in your system, you have to create one! For that, run the following command and follow the instructions. You can create a 4096 bits long RSA key with your ID information.
Now, run the previous command again to list down existing GPG keys. You should get an output similar to the following. From the list of GPG keys, copy the GPG key ID you’d like to use. In this example, the GPG key ID is
sec rsa4096/55558B34BBB154D4 2021-04-26 [SC]
uid [ultimate] chathurabuddi (Chathura Buddhika) <email@example.com>
ssb rsa4096/9C56TF0F@84D527D 2021-04-26 [E]
Now run the following command by replacing the copied GPG key ID. This will print the GPG key ID in ASCII armor format.
gpg --armor --export 55558B34BBB154D4
Copy your GPG key, beginning with
—--BEGIN PGP PUBLIC KEY BLOCK--- and ending with
---END PGP PUBLIC KEY BLOCK---.
Now login to GitHub and navigate to “Settings” → “SSH and GPG keys”. Click on “New GPG key” and add your generated GPG key.
Configure Git for use generated GPG key
To sign your commits locally, you need to configure Git CLI with the GPG key you’d like to use. To set your GPG signing key in Git, run the following command by replacing the copied GPG key ID in the previous step.
git config --global user.signingkey 55558B34BBB154D4
Then you can run the following command to sign all of your future commits automatically.
git config --global commit.gpgsign true
All done! Next time when you push a commit, GitHub will be able to verify the signature against your public key and add the green colored “Verified” tag next to the commit.