Signing commits with GPG in GitHub: A Complete Guide
Introduction
In today’s digital world, securing your online identity is more critical than ever. When it comes to GitHub, committing code securely ensures the integrity of your work and helps avoid unauthorized changes. One way to do this is by signing your commits using GPG (GNU Privacy Guard). This guide will walk you through the basics of GPG, how it works, and how to use it to sign your commits on GitHub.
What is GPG?
GPG (GNU Privacy Guard) is a tool for secure communication and data storage. It uses public-key cryptography to encrypt and sign data. With GPG, you have two keys:
1. Public Key: Shared with others to encrypt data sent to you or verify your digital signature.
2. Private Key: Kept secret and used to decrypt received data or sign data (like Git commits).
When you sign your commits with GPG, you add a layer of trust to your code by proving that the commits come from you and haven’t been altered.
Why Should You Sign Git Commits?
1. Security: Signed commits verify your identity, preventing others from impersonating you.
2. Trust: Signed commits help collaborators and the open-source community trust that the code truly came from you.
3. Professionalism: Signed commits can give you a more polished and secure professional presence on GitHub.
Getting Started with GPG and GitHub
1. Install GPG
First, install GPG on your machine:
- macOS: Use Homebrew to install GPG.
brew install gnupg
- Linux: Install using your package manager.
sudo apt-get install gnupg
- Windows: Download GPG from Gpg4win and install it.
2. Generate a New GPG Key
To generate a new GPG key, open your terminal and run:
gpg --full-generate-key
You will be prompted to choose the type of key. Select RSA and RSA (default) and choose a key size (4096 bits is recommended). Afterward, you’ll need to provide your name, email, and optionally, a passphrase.
Once generated, you can list your GPG keys with:
gpg --list-secret-keys --keyid-format LONG
3. Add Your GPG Key to GitHub
To sign commits, GitHub needs to recognize your public GPG key. First, copy your public key:
gpg --armor --export YOUR_ID
Replace YOUR_ID with the ID of your GPG key (visible in the output of the previous step). This will display your key in the terminal.
Copy the entire output, including the
— — -BEGIN PGP PUBLIC KEY BLOCK — — —
and
— — -END PGP PUBLIC KEY BLOCK — — —
sections.
Next, go to your GitHub account settings:
1. Settings > SSH and GPG Keys > New GPG Key.
2. Paste your copied public key.
3. Click Add GPG Key.
4. Configure Git to Use Your GPG Key
Once you’ve added your GPG key to GitHub, you need to configure Git to use it. Run the following commands:
git config --global user.signingkey YOUR_ID
git config --global commit.gpgSign true
Replace YOUR_ID with your GPG key ID.
5. Signing Commits
Now that GPG is configured, you can sign your commits automatically by adding -S when committing:
git commit -S -m "Your commit message"
Git will ask for your GPG passphrase (if you set one). If the commit is successfully signed, you’ll see a “Verified” badge next to the commit on GitHub.
6. Verify Signed Commits
On GitHub, any signed commit will show a Verified badge:
• A green badge means the commit is properly signed and verified.
- A red or gray badge might indicate an issue with the signature (e.g., the key isn’t recognized).
Hoping this was helpful, Please clap and share you find this helpful, Cheers