Sign Your Git Commits for GitHub

Signing your commits with a GPG key on GitHub not only secures your contributions but also builds trust with your collaborators. In this post, I’ll walk you through the process of setting up GPG and signing your commits, step by step.

photo by: endjin

1. Install GPG

Before you can sign your commits, you need to install GPG (GNU Privacy Guard), a tool for secure communication and data encryption.

• macOS:
  Open Terminal and install via Homebrew:

brew install gnupg

• Windows:
  Download and install Gpg4win.
• Linux:
  Use your distribution’s package manager. For Ubuntu, run:

sudo apt-get install gnupg

2. Generate a GPG Key

Now that GPG is installed, generate a new GPG key. Open your terminal and run:

gpg --full-generate-key

Follow the on-screen instructions to:

• Choose the key type (usually the default RSA and RSA is fine).
• Select your key size (at least 4096 bits is recommended for stronger security).
• Set an expiration date (choose one that fits your security needs).
• Provide your name and email address. Make sure to use the same email you use on GitHub!

3. Retrieve Your GPG Key ID

Once your key is generated, you’ll need its ID to configure Git. List your keys with:

gpg --list-secret-keys --keyid-format LONG

Locate the line that starts with sec. The long string following it is your key ID (for example, 3AA5C34371567BD2). Keep this handy for the next steps.

4. Configure Git to Use Your GPG Key

Tell Git which GPG key to use for signing commits by running:

git config --global user.signingkey YOUR_KEY_ID

To sign every commit by default, enable commit signing globally:

git config --global commit.gpgsign true

Replace YOUR_KEY_ID with the key ID you retrieved in the previous step.

5. Add Your GPG Public Key to GitHub

For GitHub to verify your signed commits, add your public GPG key to your GitHub account:

1. Export Your Public Key:
   Run the following command to get your key in an ASCII-armored format:

gpg --armor --export YOUR_KEY_ID

2. Copy the output from your terminal.

~ Add to GitHub:

• Log in to your GitHub account.
• Go to Settings and navigate to SSH and GPG keys.
• Click New GPG key, paste the copied key, and save it.

6. Signing Your Commits

With everything set up, your commits will now be signed automatically if you enabled global signing. If you prefer to sign commits individually, simply add the -S flag when committing:

git commit -S -m "Your commit message"

Git will now cryptographically sign your commits, which GitHub will verify.

you’ve enhanced the security and authenticity of your contributions on GitHub. Signing your commits not only builds trust among your collaborators but also helps in maintaining a secure project history.

Happy coding and secure committing!