Skip to content

Signing Commits

As a best practice you should sign your commits, see here for an explanation of the security and verification reason why.

To do this takes a little bit of setup, but thankfully this has been carefully explained by github here

Here is a broken down set of steps that are required

Generate a Key

The gpg tool should already be installed on your machine, so you can follow the instructions in the link above.

The only thing that I have come across, is that the command to actually generate it is not gpg --full-generate-key, but gpg --gen-key. The rest of the page can be followed exactly.

Pay particular attention to the email address that is used in the key. You will need to be able to prove that you own it before the commits will be accepted, and it must match the email address that is configured in git.

Get git to use the key

First you need to set the key that is going to be used, see here for instructions about this. I would follow the advice and configure the key globally

Then tell git to sign your commits. There are instructions on how to do this on a commit by commit basis here, but the important bit is in the blue tip box at the top

This will allow you to automatically sign your commits, by running git config commit.gpgsign true in the repo. This will then sign every commit for that repo, run git config --global commit.gpgsign true to do this globally.

Get Github to recognise the key

There are two steps needed before github will mark the commit as verified. First you need to upload the public key to github, described here

Then you need to make sure your email is verified. Details of this are here, there is also a button on the emails page that will allow you to add a new email address if the one you are using is not associated with the account