This is a guide to verify signed commits on Github.
GPG, or GNU Privacy Guard, is a public key cryptography implementation. This allows for the secure transmission of information between parties and can be used to verify that the origin of a message is genuine.
Signing commits enables other people to verify that commits come from a trusted source and haven't been altered after they were signed. Git uses GPG keys to sign commits and tags.
You can sign commits and tags using GPG keys.
You can verify signed commits and tags using GPG keys.
gpg --full-generate-key
gpg --list-secret-keys --keyid-format LONG
gpg --armor --export YOUR-KEY-ID
- Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----.
- In the upper-right corner of github page, click your profile photo, then click Settings.
- In the user settings sidebar, click SSH and GPG keys.
- Click New GPG key.
- In the "Key" field, paste your GPG key.
- Click Add GPG key.
- Type your GitHub password to verify that it's you.
- Click Confirm.
git config --global user.name "YOUR-NAME"
git config --global user.email "YOUR-EMAIL"
git config --global user.signingkey YOUR-KEY-ID
git config --global commit.gpgsign true
git config --global tag.gpgsign true
git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"
git config --global --list
git commit -S -m "YOUR-COMMIT-MESSAGE"
git tag -s v1.0 -m "YOUR-TAG-MESSAGE"
git push origin master --tags
git log --show-signature
git log --show-signature --oneline
https://help.github.com/en/github/authenticating-to-github/managing-commit-signature-verification
https://help.github.com/en/github/authenticating-to-github/generating-a-new-gpg-key
https://help.github.com/en/github/authenticating-to-github/adding-a-new-gpg-key-to-your-github-account
https://help.github.com/en/github/authenticating-to-github/telling-git-about-your-signing-key
Created with 🧡 by Supun Nanayakkara