In today’s world, there is no doubt that software is key – and most a lot of that software that is powering our lives utilizes Git/GitHub to enable remote teams to all work together. So the question lies, why wouldn’t you want to have your team sign their commits in order to validate that they are indeed coming from a verified source? But perhaps more importantly, why wouldn’t you want to have an awesome ‘Verified’ status displayed next to your hard work 🙂 Today we will walk through the process of how to enable signed commits for your GitHub account!

So – in order to obtain that verified status there is a little bit of work that needs to be done beforehand which can be broken down into three main overarching categories: Creating Keys, Setting up GitHub, and Configuring local commits.

Creating Keys

First up, ensure you have the appropriate GPG command-line tools installed for your operating system of choice. That said, if your a Windows fan like myself, just go ahead and get the latest version of Git as Git Bash has everything you need to follow along here.

Secondly, we need to generate a key pair. The keys, along with our specified passphrase is how Git actually verifies our commits. To do that, simply run the following command within the Git Bash shell:

gpg --full-generate-key

At the prompts let’s make sure we select ‘RSA and RSA’ as the key type, ‘4096’ as the keysize, and your desired expiry timeframe. Enter in your name/email information as well but be sure to use the verified email attached to your GitHub account – also, fill in a nifty Passphrase when prompted…

Once the key has been created let’s go ahead and list out all the keys we have with the following:

gpg --list-secret-keys --keyid-format LONG
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
sec   rsa4096/4E960CCCF8234275 2019-09-17 [SC]
uid                 [ultimate] Mike Preston (mwpreston) <>
ssb   rsa4096/72E0F3D17DD7315B 2019-09-17 [E]

In order to obtain our key, we need to take the key id of the SEC, or SECret key in the output from above. This is the text following the rsa4096/ in the top line. We can then use this in the following command to print out key id in ASCII armor format for pasting into GitHub using the following command:

gpg --armor --export 4E960CCCF8234275

Setting up GitHub

With our key displayed we can now go and apply it to our GitHub account. From the dropdown menu in the top-right, move into the ‘Settings’ section of GitHub, then select ‘SSH and GPG keys’. Here, simply click ‘New GPG key’ to add our key:

Add New GPG Key

Within the text area displayed, copy/paste the entire gpg key we exported and select ‘Add GPG key’ – go ahead an input your password when prompted.

Paste your GPG Key

Now with everything set up within GitHub we can head back to our local development station to configure the actual signing of commits.

Configuring Local Commits

The first thing we need to do is set our global signing key – easy enough – just grab your key id and issue the following command

git config --global user.signingkey 4F960CEFD9655012

Once that is done we can enable git signing globally (on all local repositories) as follows:

git config --global commit.gpgsign true

Or, if you would rather go per repository, you can simply run the following command while in the repo:

git config commit.gpgsign true

At this point, you should be able to sign your commits by using -S parameter as follows

git commit -a -S -m 'did some stuff'

Type in your passphrase, push your changes up to GitHub – and profit!

Verified commit in GitHub

BONUS: Configuring VSCode

Now I don’t do all my git commits via command line – mostly I just use the built-in source control functions within VSCode. I love VSCode so much I’ve even gone to the trouble of setting it up to run c#, even though I have the full blown version of Visual Studio installed alongside 🙂 Anyways – to enable commit signing within VSCode simply go to Settings -> Search for git signing and enable the ‘Git:Enable Commit Signing’ checkbox. From there, any commit from within VSCode will now be signed.

Git Signing in VSCode

So there you have it! Congratulations – you can now sleep better at night knowing the sources of commits are indeed from who you think they are from – or better yet, you have the sweet green verified box next to your name! Thanks for reading!