Skip to main content

Sign Commits

Git is cryptographically secure, but it’s not foolproof. If you’re taking work from others on the internet and want to verify that commits are actually from a trusted source, Git has a few ways to sign and verify work using GPG.

Step by step process to Sign your commit :

Step 1 :

For signing commits you need to have git installed on your local machine and get GPG configured and your personal key installed.

To check if you have GPG configured and a personal key installed on your local machine ,type out this command <$ gpg --list-keys> on your terminal

$ gpg --list-keys
Screenshot 2022-10-03 at 8 02 52 PM

Step 2 :

Download and install the GPG command line tools for your operating system.Generate a key using this command

$ gpg --gen-key

Step 3 :

Once you have a private key to sign with, you can configure Git to use it for signing things by setting the user.signingkey config setting

$ git config --global user.signingkey 0A46826A!

Step 4 :

After completeting all the above steps head on to your profile from github

Screenshot 2022-10-03 at 8 02 52 PM

Step 5 :

In the "Access" section of the sidebar, click "Emails". Add and verify your email address if it is not verified.

Screenshot 2022-10-03 at 8 02 52 PM

Step 6 :

a) In the "Primary email address" group , select your email address through which you want to sign commits.

Screenshot 2022-10-03 at 8 02 52 PM

b) Make sure that "Keep my email addresses private" checkbox is unchecked.

Screenshot 2022-10-03 at 8 02 52 PM

Step 7 :

You are all set to sign your commit. To sign a commit, you need to open your terminal or gitbash and While committing changes in your local branch, add the -S flag to the git commit command:

$ git commit -S -m "YOUR_COMMIT_MESSAGE"

Step 8 :

After you create your commit, provide the passphrase you set up when you generated your GPG key and push them to your remote repository on GitHub.

Step 9 :

On the pull request, click on the commits tab to check your commit is signed or not

Screenshot 2022-10-03 at 8 02 52 PM

Click on "Verified" to know more detailed information about the signature

Screenshot 2022-10-03 at 8 02 52 PM

You have sucessfully signed your commit.