How to Sign Commits on Github ?
Git is cryptographically secure, but it’s not foolproof. If you’re taking work from others on the internet and want to verify that commits are actually from a trusted source, Git has a few ways to sign and verify work using GPG.
Step by step process to Sign your commit :
Step 1 :
For signing commits you need to have git installed on your local machine and get GPG configured and your personal key installed.
To check if you have GPG configured and a personal key installed on your local machine ,type out this command <$ gpg --list-keys> on your terminal
$ gpg --list-keys
Step 2 :
Download and install the GPG command line tools for your operating system.Generate a key using this command
$ gpg --gen-key
Step 3 :
Once you have a private key to sign with, you can configure Git to use it for signing things by setting the user.signingkey config setting
$ git config --global user.signingkey 0A46826A!
Step 4 :
After completeting all the above steps head on to your profile from github
Step 5 :
In the "Access" section of the sidebar, click "Emails". Add and verify your email address if it is not verified.
Step 6 :
a) In the "Primary email address" group , select your email address through which you want to sign commits.
b) Make sure that "Keep my email addresses private" checkbox is unchecked.
Step 7 :
You are all set to sign your commit. To sign a commit, you need to open your terminal or gitbash and While committing changes in your local branch, add the -S flag to the git commit command:
$ git commit -S -m "YOUR_COMMIT_MESSAGE"
Step 8 :
After you create your commit, provide the passphrase you set up when you generated your GPG key and push them to your remote repository on GitHub.
Step 9 :
On the pull request, click on the commits tab to check your commit is signed or not
Click on "Verified" to know more detailed information about the signature
