DEV Community

Cover image for Set Up your GitHub Commit Signature
Iano Njuguna
Iano Njuguna

Posted on • Edited on

Set Up your GitHub Commit Signature

Why and how you should set up your commit signature on GitHub

Introduction

Once you set up your commit signature, the commits are signed "Verified". Before then, they are signed "Unverified".

Unverified and Verified Commits

Why Should You Set Up Your Commit Signature?

  1. Data Integrity and Authenticity: Commit signatures use cryptographic techniques to ensure the integrity and authenticity of your code changes. This means that others can be confident that the code attributed to you is legitimate and has not been altered by unauthorized parties.

  2. Build Trust and Reputation: Commit signatures enhance your credibility as a developer, especially when contributing to open-source projects or collaborating with others. Trust is crucial in the software development community, and signed commits can help build a positive reputation.

  3. Secure Collaboration: With signed commits, team members can easily verify the origin of changes, reducing the risk of accepting malicious or unauthorized code into the project. It fosters a more secure collaboration environment.

  4. Compliance and Legal Requirements: In some projects and organizations, commit signatures may be mandatory to comply with legal or regulatory requirements, particularly for projects involving sensitive data or high-security applications.

  5. Code Review and Accountability: Signed commits provide accountability during code reviews, ensuring that the author of each change can be easily identified. This encourages responsible development practices.

Although GitHub has provided straightforward guides and tools to set up your commit signature, I had difficulty setting up my commit signature because of the order in which the steps had been organized in the documentation.

I have listed the doc sources in the order I find clear and concise:

  1. Generate a GPG key

  2. Add the GPG key to your GitHub account.

  3. Tell Git about your GPG key.

Follow them in that order and you will not encounter any problems.

To sign your commits, you need to run the git commit command like this:

$ git commit -S -m "Commit Message"
Enter fullscreen mode Exit fullscreen mode

However, to customize the command and make it easier to remember or quicker to type, learn how to create a permanent alias.

Top comments (2)

Collapse
 
mtendekuyokwa19 profile image
Mtende Otis II

May you please show me a link of a signed commit project someone made

Collapse
 
ianonjuguna profile image
Iano Njuguna