Open in app

Sign in

Write

Sign in

How to add the “Verified” badge to your commits in the GitHub

chathurabuddi
2 min readApr 26, 2021

Have you ever noticed the green color “verified” badge in front of the commits that you have created on GitHub, such as pull requests and merge commits? It is an indication of signed commits. By signing commits you can prove that your commit is coming from you and wasn’t altered while transferring it.

Image credit: Rush Hour 3 (2007)

You can configure your local development environment to sign all of your commits, and here is how.

Please note that following steps are specific for Windows environment and you can do the same with Linux environment with similar tools.

Check for existing GPG keys

Open Git Bash and check for existing GPG keys with following command. It will list down all GPG keys which you have both a public and private key.

gpg --list-secret-keys --keyid-format LONG

Generate new GPG key

If you don’t have any previously generated GPG keys in your system, you have to create one! For that, run the following command and follow the instructions. You can create a 4096 bits long RSA key with your ID information.

gpg --full-generate-key

Now, run the previous command again to list down existing GPG keys. You should get an output similar to the following. From the list of GPG keys, copy the GPG key ID you’d like to use. In this example, the GPG key ID is 55558B34BBB154D4:

C:/Users/CHATHURA/AppData/Roaming/gnupg/pubring.kbx
---------------------------------------------------
sec   rsa4096/55558B34BBB154D4 2021-04-26 [SC]
      F765666C212354PQ9E06DBEA33288B46DCR193F1
uid                 [ultimate] chathurabuddi (Chathura Buddhika) <hey@chathurabuddi.lk>
ssb   rsa4096/9C56TF0F@84D527D 2021-04-26 [E]

Now run the following command by replacing the copied GPG key ID. This will print the GPG key ID in ASCII armor format.

gpg --armor --export 55558B34BBB154D4

Copy your GPG key, beginning with —--BEGIN PGP PUBLIC KEY BLOCK--- and ending with ---END PGP PUBLIC KEY BLOCK---.

Now login to GitHub and navigate to “Settings” → “SSH and GPG keys”. Click on “New GPG key” and add your generated GPG key.

Configure Git for use generated GPG key

To sign your commits locally, you need to configure Git CLI with the GPG key you’d like to use. To set your GPG signing key in Git, run the following command by replacing the copied GPG key ID in the previous step.

git config --global user.signingkey 55558B34BBB154D4

Then you can run the following command to sign all of your future commits automatically.

git config --global commit.gpgsign true

All done! Next time when you push a commit, GitHub will be able to verify the signature against your public key and add the green colored “Verified” tag next to the commit.

Github
Verified
Commit
Badge
Sign

--

--

chathurabuddi

Written by chathurabuddi

6 Followers

Chathura Buddhika ~ Java-Developer & Graphic-Designer

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams