DEV Community

Cover image for How to make my git contributions verified?
Grzegorz Kućmierz
Grzegorz Kućmierz

Posted on • Edited on

How to make my git contributions verified?

Motivation

Github's verified commits may be useful especially, when you are making open source software.

It is warrant that person who is signing commit made it.
Github commits are very easy to change since they are not secured like for example bitcoin's blockchain is.

How To?

If you are on mac first install gpg using homebrew

brew install gpg
Enter fullscreen mode Exit fullscreen mode

...after some ☕️ break

gpg --default-new-key-algo rsa4096 --gen-key
Enter fullscreen mode Exit fullscreen mode
  • Type name and last name
  • Type email address 📧
  • Type password twice

Should generate keys:

pub   rsa4096 2020-07-29 [SC] [wygasa: 2022-07-29]
      688BA86A3C51E5A1350986EFD63EC3228BD83581
uid                      Grzegorz Kucmierz <gkucmierz@gmail.com>
Enter fullscreen mode Exit fullscreen mode
ls  ~/.gnupg
.           S.gpg-agent.extra   pubring.kbx
..          S.gpg-agent.ssh     pubring.kbx~
S.gpg-agent     openpgp-revocs.d    trustdb.gpg
S.gpg-agent.browser private-keys-v1.d

Enter fullscreen mode Exit fullscreen mode
List your keys
gpg --list-secret-keys
Enter fullscreen mode Exit fullscreen mode

Add to Github

Export public key:

gpg --armor --export
Enter fullscreen mode Exit fullscreen mode

My key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF8hjOABEADZ7jdgzQGVojVhZhJrAEU1mwUSjDjSPvhefSRBFbGCLYVcr2wj
KgX67uTeE5YRNUuws/Pc1/6MUdDmoY5Auw01nrRKI5wcBAFQlx/d4uiA3tgl32PD
6pDOY0X0fSEdRQlw0CInElMPy8oyhAXQKW+vWc6sEoVhvNcbBVSUI+SrtlFurzXM
nptP5asckDV+zFfX9tgzBP6ehe8a8I2qNe8+APnNeiNbXfNRDOvIBO8HYbJyDhxw
RZ2R2hMmYTzQ9q8jo/udGs8xR9yT23XUhJfI/lXbHtELXhW7p5TRKgwbpDAA41vz
JQQzsQ9dwE82qgB7N5u4pwVui6bHxqotvkXliIW7miL7WLODmPY3yliOnEKrgWWX
WDmgQ5+6FRKtK0G+B0kY2t6Y+wn5JIhf+NupFob19GYWwm7Z6QwvDxUYwpgvHrVa
Zt6KW1EWOlvxd+F0iU2I/pns+VJrNrmNCkoCGh1TYt3VGYbMLBFOivugbOZF62sl
cHjEeAJQnQklHo70c2c96kmjEd2IXFQl3+2H9neYIy/fVj55xbqNUWWLZh/vKJfK
d2FaMHeCOf49xVuhvKDSNWJPOezAVaAMyGBrUUcAioEGApkIjcyR48rN1QXR+ER0
MCmz7h+l0O1gzUMb4f2xdtIG8HATFg+c7lsNCjRY43FBPpif4TKMp3weKwARAQAB
tCdHcnplZ29yeiBLdWNtaWVyeiA8Z2t1Y21pZXJ6QGdtYWlsLmNvbT6JAlQEEwEI
AD4WIQRoi6hqPFHloTUJhu/WPsMii9g1gQUCXyGM4AIbAwUJA8JnAAULCQgHAgYV
CgkICwIEFgIDAQIeAQIXgAAKCRDWPsMii9g1gdEbD/9ChsKsAPcothdmi65hmTsP
WX7YOdY5aZufv88B3J+TJCAAUvhob3mAZ9wZMur6VHKCu4ZSsxYBX/2VDsCql9R5
WlEBwM8vpQKJm5sDd7PxPX7TfShcGdsSpW7wC1T9k8gFDSMOaLiS5Vqni/JXzJ9l
c4VnhctyWYnb9v3Si1vGSWKi2foArfhBVxmnIY5TuujxdgAXuqzaS/FAvsiSAJod
8WI3pmEwzwSEQnYEwxXLN46ZISTQOSONBT9L4Sqq7DQ1M4d3h+iQ0fw8qov+Av52
4KSUSVwQO7G292Kek+Ted5se7D0xzHVdZTrG3QuEH2nTx7FvGjGKNCjwjNNttbpy
pSPM1x7Thnn+umdh30KXLlwiDBKsNVXd0/M3G0+bDd6EMm8tixwPaTj5rAUnV66r
AGwYTtdpKHEIJQCEQJ4Vchrl3VcHXPMYpzB+xHpZ07D1elis3EIK5Px/chUhb5NE
af6+H5FWDE0k1MQcRkvdkmEMZ2gb553eZRNr0l9cettHTE2KON6BTrWd9iJCUVfX
G5UzV5KOz5xXiznjLp7aTc7Fd1Fm66p+x7xpZj3/0dyLi4or3oK68HKFF+HMOLXt
xTpq2rYf0QHFewMZmxvx9Zfr1BE5coz0Ij3a8TURaDWZxWGKeLJn9AAybTYt7tkY
XprPzBNEKFtmQGhrTM4NXg==
=ny2O
-----END PGP PUBLIC KEY BLOCK-----
Enter fullscreen mode Exit fullscreen mode

Go to Github's settings:

Alt Text

Copy/Paste key to your Github form under SSH and GPG keys category

Alt Text

Your key should be added now:

Alt Text

Setup local git

Check your key 🔑 id:

gpg --list-secret-keys --keyid-format LONG
Enter fullscreen mode Exit fullscreen mode
sec   rsa4096/D63EC3228BD83581 2020-07-29 [SC] [wygasa: 2022-07-29]
      688BA86A3C51E5A1350986EFD63EC3228BD83581
uid          [   absolutne   ] Grzegorz Kucmierz <gkucmierz@gmail.com>
Enter fullscreen mode Exit fullscreen mode

Add it in git config:

git config --global user.signingkey D63EC3228BD83581
Enter fullscreen mode Exit fullscreen mode

And export GPG_TTY variable in your .profile file

In my case .zshrc

echo 'export GPG_TTY=$(tty)' >> ~/.zshrc
Enter fullscreen mode Exit fullscreen mode

Now you need to add -S flag to your commit

git commit -m "testing verified commit" -S
Enter fullscreen mode Exit fullscreen mode

And your commit should be signed now:

Alt Text

Sign all commits by default

Just change global git config

git config --global commit.gpgSign true
Enter fullscreen mode Exit fullscreen mode

Top comments (3)

Collapse
 
cescquintero profile image
Francisco Quintero 🇨🇴

I already sign my commits and doing:

export GPG_TTY=$(tty)

It's key to prevent some errors.

Great post. Thanks for sharing!

Collapse
 
tomaszwaszczyk profile image
Tomasz Waszczyk

Good read, thanks, do You have any idea how to manage in easy way how to deal with more than one Github's account on one machine - in context of having two verified accounts?

Collapse
 
gkucmierz profile image
Grzegorz Kućmierz • Edited

Good question!

signingkey is added in [user] section

gitconfig

I am not sure but I think you should be able to add multiple [user] sections.

Check git docs for more details: git-scm.com/docs/git-config