Get Verified: Your Guide to Secure Commits on GitHub for Mac Users

metecan
3 min readMay 29, 2024

--

Providing security and authenticity of GitHub commits is highly useful for developers. This guide will explain in detail how to configure your Mac for secure GitHub commits, including authenticated commits and SSH connections that improve workflow security.

Verified Commits

Step 1: Configure Git User Information

First, you need to set your global Git configuration with your username and email. Open your terminal and enter the following commands:

git config --global user.name "username" // github username
git config --global user.email "email@example.com" // github email

This sets up your identity for all Git repositories on your machine.

Step 2: Generate an SSH Key

SSH keys are a more secure way of logging into a server with SSH than using a password alone. Here’s how to generate an SSH key:

2.1. Create a .ssh directory if it doesn't already exist:

mkdir ~/.ssh

2.2. Generate a new SSH key using the ed25519 algorithm:

ssh-keygen -t ed25519 -C "email@example.com"

2.3. Start the SSH agent in the background:

eval "$(ssh-agent -s)"

2.4. Add your SSH key to the ssh-agent and store your passphrase in the keychain:

ssh-add --apple-use-keychain ~/.ssh/id_ed25519

Step 3: Configure SSH

Next, create and configure your SSH configuration file to ensure your keys are used properly:

3.1. Create a new SSH config file:

touch ~/.ssh/config

3.2. Open the config file in your preferred text editor (here, using Visual Studio Code):

code ~/.ssh/config

3.3. Add the following configuration to the file:

Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_ed25519

Step 4: Configure GPG for Verified Commits

GitHub supports GPG (GNU Privacy Guard) keys for verifying the authorship of your commits. However, since we’re using SSH keys for simplicity, we’ll configure Git to use our SSH key for signing commits.

4.1. Set Git to use SSH for GPG:

git config --global gpg.format ssh

4.2. Configure Git to use your SSH key as the signing key:

git config --global user.signingkey ~/.ssh/id_ed25519

4.3. Making sure that all your commits and tags are signed:

git config --global commit.gpgsign true
git config --global tag.gpgsign true

Step 5: Allow Signing with SSH Key

To use your SSH key for signing, you need to add it to the allowed signers list:

5.1. Create the allowed_signers file:

touch ~/.ssh/allowed_signers

5.2. Add your SSH public key to the allowed_signers file:

echo "$(git config --get user.email) namespaces=\"git\" $(cat ~/.ssh/id_ed25519.pub)" >> ~/.ssh/allowed_signers

Step 6: Add SSH Key to GitHub

Finally, you need to add your SSH key to your GitHub account for both authentication and signing.

6.1. Copy your SSH public key to the clipboard:

pbcopy < ~/.ssh/id_ed25519.pub

6.2. Go to GitHub and navigate to Settings > SSH and GPG keys.

6.3. Click on New SSH key, give it a title, and paste your key in the Key field.

6.4. Repeat step 6.3, but this time, select Signing Key as the key type instead of Authentication Key.

By following these steps, you can create a secure GitHub environment on your Mac with verified commits and SSH connectivity, improve project security, and keep contributions properly attributed.

You are ready! Test now by trying the SSH repository clone and pushing some commits.

--

--