How to Create a Verified Commit in GitHub using GPG key?

Before going through the setup process of verified commits in GitHub, let’s see how it looks like.

If you look on the above image, you may find the differences between few commits there. First two commits are not verfied, that’s why no verified tag on those two commits. Other commits have verified tag. This helps to understand that those verified commits are from a trused source. For a quick view, you can do two commits on one of your github repository. Where one commit directly from GitHub website. And another one from your local machine using git. You will find that the 1st one is as verified commit and the 2nd one is non-verified commit.

I’m not going to explain more why we need to use signature commits rather than explaining the process to create signature commits. If you want to read more about signature commits you can go through the github docs here.
From this link you may know about:

• commit signature verification
• generating new gpg key
• adding gpg key in github
• adding gpg key in git configuration
• signing commits

Now let’s start to setup the process on creating commit signature verification.

Creating GPG key

If GPG is not installed, then use below command line to install it. (ubuntu)

sudo apt install gnupg

To create gpg key pair:

gpg --full-generate-key

It will prompt and ask to choose few options.

1. Select key type: Select option 1 as default to choose RSA key.
2. Key bits size(1024–4096): Default value is 3072. you can choose maxmium value 4096. I have used 2048 bits long key.
3. Key Expiration time: zero (0) used for life time validation, you can specify n, w, m, y for days, weeks, months and years. for example; 5y can be used to for five years long.
4. Real Name: Specify the name used on GitHub.
5. Email Address: enter the mail address used on Github.
6. Comment: you can skip (just press enter key) or add any comments here. If everything goes correctly, then use O, it will prompt to set a passphrase.
7. PassPhrase: Enter any passpharse you would like to set. After then it will create a key.

Find GPG keys list

After creating gpg keys, you can check the list you have. To check gpg key list:

gpg --list-keys

It will show a list of keys you have on your device as below:

/home/noob/.gnupg/pubring.kbx
-----------------------------
pub   rsa2048 2021-07-17 [SC]
      ***************************************
uid           [ultimate] Mobarak Hosen Shakil <mh*****@gmail.com>
sub   rsa2048 2021-07-17 [E]
pub   rsa4096 2021-07-18 [SC]
      5308F0B4BDEAD8D9012959A4E8FCF**********
uid           [ultimate] Mobarak Hosen Shakil <mh*****@gmail.com>
sub   rsa4096 2021-07-18 [E]

These are the public key list. If you want to get the secret key list use this command line:

gpg --list-secret-keys --keyid-format=long

It will show secret and public key pair list as below:

home/noob/.gnupg/pubring.kbx
-----------------------------
sec   rsa2048/0A8054514******* 2021-07-17 [SC]
      *******B56AE6C6A9B4744B00A8054514DA9D78B
uid          [ultimate] Mobarak Hosen Shakil <mh*****@gmail.com>
ssb   rsa2048/0BB4E0D5******** 2021-07-17 [E]
sec   rsa4096/E8FCF8A50******* 2021-07-18 [SC]
      *******4BDEAD8D9012959A4E8FCF8A501D13C6A
uid          [ultimate] Mobarak Hosen Shakil <mh*****@gmail.com>
ssb   rsa4096/E20965C7******** 2021-07-18 [E]

Here the secret gpg key id for 2nd one is

E8FCF8A50*******

Note: I have used asterik chrachter (*) just to be formal and hide private things.

Add GPG key in GitHub

You need to add the GPG key in your GitHub account to create a verified commit on GitHub repository. So let’s get the GPG public key in ascii format first. The command line is:

gpg --armor --export [secret-gpg-key-id]

You will get a key like this one. Copy this text from -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK----- . Add this copied text to GitHub.

To add new GPG key in GitHub, follow this link: https://github.com/settings/gpg/new

Paste copied text there then add gpg key . It will add new gpg key in your github profile gpg key list. Check your gpg keys list from here.

Git Setting on Your Local Machine

To set you GPG signing key in git, you need to add GPG secret key ID in your git global configuration. Please follow below steps to configure git global configuration.

git config --global user.name github-username
git config --global user.email github-email
git config --global user.signingkey [secret-gpg-key-id]
git config --global commit.gpgsign true
git config --global gpg.program $(which gpg) 

Commit Signature Verification

To add signature verification in your commits, you need to commit in this way:

git commit -S -m "commit-msg"

-S is used to identify as a secured commit.