Signing Commits in Github Desktop
If you are looking at commits in a Github repository, you may notice “Verified” label next to some commits. You too can get the “verified” label by signing the commits using GPG.
The official documentation states
Note: GitHub Desktop does not support commit signing.
However, it is possible to sign commit using Github Desktop.
Generate the GPG Key
- Install GPG command line tools.
- You may need to use the command
gpg2
instead ofgpg
. - Generate a GPG key using the command
gpg2 --full-generate-key
- Enter to accept the default RSA and RSA kind of key.
- Enter the keysize as 4096 bits.
- When prompted to enter user ID information, enter the verified email address for your GitHub account.
- Add a passphrase as required.
- Once the key is generated, verify by running
gpg2 --list-secret-keys --keyid-format LONG
- Copy the GPC key id, and export the key using
gpg2 --armor --export <key id>
. - Add the GPG key to your GitHub account.
Configure Git to Use GPG Key
Make sure your .gitconfig
contains the following information
[user]
email = <Git user email>
name = <Git user name>
[gpg]
program = gpg2
[commit]
gpgsign = true
In my case, I have multiple git
accounts. Hence I configured only my Github folder to sign the commits.
Global Git Configuration File (~/.gitconfig)
[user]
email = <Global git user email>
name = <Global git user name>
[includeIf "gitdir:~/Documents/GitHub/"]
path = ~/Documents/GitHub/.gitconfig
Folder Specific Git Configuration File (~/Documents/GitHub/.gitconfig)
[user]
name = <Github user email>
email = <Github user name>
[gpg]
program = gpg2
[commit]
gpgsign = true
Signing via Command Line
To sign a commit in a local branch
$ git commit -S -m your commit message
# Creates a signed commit
To push the commits to the remote repository
$ git push
# Pushes local commits to the remote repository
Signing via Github Desktop
You may commit changes as usual if the repository has been configured to sign all commits.