DEV Community

Cover image for Verified Commits on GitHub from Ubuntu 22.04 LTS (GPG Keys) ✅
Suraj
Suraj

Posted on

Verified Commits on GitHub from Ubuntu 22.04 LTS (GPG Keys) ✅

In this blog, I’ll walk you through setting up GPG keys on Ubuntu 22.04 LTS to sign Git commits, ensuring they appear as verified on GitHub. Verified commits add a layer of trust to your contributions, making it clear that your commits are authentic. Let’s get started!

Table of Contents

  1. Introduction to Signed Commits
  2. Verified Commits vs. Unverified Commits on GitHub
  3. Installing GPG on Ubuntu 22.04 LTS
  4. Generating a GPG Key and Configuring GitHub
  5. Configuring Git on Ubuntu to Sign Commits
  6. Creating Signed Commits

1. Introduction to Signed Commits

Signed commits use GPG keys to verify the identity of the commit author, ensuring that the changes come from a trusted source. GitHub displays these verified commits with a green badge, signaling authenticity and providing security. We’ll begin by understanding how signed commits work and why they’re valuable.


2. Verified Commits vs. Unverified Commits on GitHub

GitHub marks verified commits with a green checkmark, while unverified commits lack this indicator. Verified commits help the community trust that the code truly comes from you, as opposed to an unverified commit that could potentially be from an unknown source.

Verified Commit(Singed Commit)
Image description

Unverified Commit(Unsinged Commit)
Image description


3. Installing GPG on Ubuntu 22.04 LTS

To create signed commits, we’ll first need to install GPG if it’s not already available.

  • Update Your System:
   sudo apt update && sudo apt upgrade
Enter fullscreen mode Exit fullscreen mode
  • Install GPG:
   sudo apt install gnupg
Enter fullscreen mode Exit fullscreen mode

After installation, verify GPG is set up by running:

   gpg --version
Enter fullscreen mode Exit fullscreen mode

4. Generating a GPG Key and Configuring GitHub

With GPG installed, let’s generate a GPG key to use for signing our commits.

  • Generate GPG Key:
   gpg --full-generate-key
Enter fullscreen mode Exit fullscreen mode

Follow the prompts to create a new GPG key.

  • List GPG Key with Key IDs:
   gpg --list-secret-keys --keyid-format LONG
Enter fullscreen mode Exit fullscreen mode

Image description

Note down your YOUR-KEY-ID from the output as it will be needed in later steps.

  • Export Public Key:
   gpg --armor --export YOUR-KEY-ID
Enter fullscreen mode Exit fullscreen mode

You will get the output like this

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGDk5hYBDADREGoVv09axWfq8ynIrFg2hcTftbI+HC67F8lJmgG/E6b7d7zI
eLPQKZQyBq+Xt8shP6R6PoZW9hwn6/Zx3zgCH5pg5V6gXLvR9B9xYQeQhBoRqr1V
BBVsk5ZC9Hj5+7nHwROtTiErqkFHDtnGyvgFTDrsdz2Kr23uqxVfXHQ6n3Tq5zQb
cF9LKzhtgX19djgJ9FRzAq8yxEz9Rx6JYOHROTx2/TJzrW0AHBpb5ka5Tt/9hD6a
zr7FSINWnGGn7EZVbdzViNO/sr84jsFTULgl29asZcEQZNEzr7BdWf+jDLKE8Yve
PNEcZWQkDd8XXZ5qTt3gMlKuY9NohXbcw6/dnhFVx4HZlI6z9RzLvKPzZvjhcDjX
YvYDbNFlMqz0FMOZ+x+AF2Rl3/KMoMa4N5L/CKU93QyRQhdj5knVsNlGYlJp1IEu
RQ1HlZli9L5Vb3Ylye3BNUdPjpxNHGxq1aGy7jeTuf1CjLg6Ra8knL98ToApdmkg
poeYb4vwE7Vv8pzrmbIl3g/OBwQJ2Y8ctQJJABEBAAG0J1Rlc3QgVXNlciA8dGVz
dC51c2VyQGV4YW1wbGUuY29tPokB1AQTAQoAPhYhBHRlc3RLZXlpZCBuQ2jP8g3J
ZX5TfJRo8TVDBwDTUEIBZUh3oRhy9u2iNU+xjIJi9f+xvW6OgY8yFxyu3YX+JKyO
Ahgqxr1gYxKUt3LwDdRMCwOwNzRUuUVvCCBLdygPfntUB8Q1Zk10/kz4ik2I/Y0A
...
z9HsMcDJFSukmowVczmM1TtE2XjggRyeNQD9MZixzA==
=s9dK
-----END PGP PUBLIC KEY BLOCK-----
Enter fullscreen mode Exit fullscreen mode

Copy the output and proceed to add this GPG key to GitHub.

  • Add GPG Key to GitHub Account:
    • Go to GitHub > Settings > SSH and GPG keys.

Image description

  • Click New GPG Key and paste your public key.

Image description

Image description


5. Configuring Git on Ubuntu to Sign Commits

After adding the GPG key to GitHub, configure Git on Ubuntu to use this key for signing commits.

  • Configure Git with Your GPG Key:
   git config --global user.name "YOUR-NAME"
   git config --global user.email "YOUR-EMAIL"
   git config --global user.signingkey YOUR-KEY-ID
   git config --global commit.gpgsign true
   git config --global tag.gpgsign true
Enter fullscreen mode Exit fullscreen mode
  • You'll get the path
which gpg 
or 
where gpg
Enter fullscreen mode Exit fullscreen mode
git config --gloal tag.program "path"
Enter fullscreen mode Exit fullscreen mode
  • List Global Git Configuration (Optional):
   git config --global --list
Enter fullscreen mode Exit fullscreen mode

This step verifies that all settings are configured properly.


6. Creating Signed Commits

With everything set up, you’re ready to create signed commits that will be marked as verified on GitHub.

Making a Signed Commit:

git commit -S -m "Your commit message"
Enter fullscreen mode Exit fullscreen mode
  • The -S flag ensures the commit is signed.

Since we configured Git to sign all commits globally, you can also commit without the -S flag:

git commit -m "Your commit message"
Enter fullscreen mode Exit fullscreen mode

After pushing the commit, it will automatically be signed, and you should see a “Verified” badge on GitHub.


Thanks for reading Engineers!

Top comments (0)