In this blog, I’ll walk you through setting up GPG keys on Ubuntu 22.04 LTS to sign Git commits, ensuring they appear as verified on GitHub. Verified commits add a layer of trust to your contributions, making it clear that your commits are authentic. Let’s get started!
Table of Contents
- Introduction to Signed Commits
- Verified Commits vs. Unverified Commits on GitHub
- Installing GPG on Ubuntu 22.04 LTS
- Generating a GPG Key and Configuring GitHub
- Configuring Git on Ubuntu to Sign Commits
- Creating Signed Commits
1. Introduction to Signed Commits
Signed commits use GPG keys to verify the identity of the commit author, ensuring that the changes come from a trusted source. GitHub displays these verified commits with a green badge, signaling authenticity and providing security. We’ll begin by understanding how signed commits work and why they’re valuable.
2. Verified Commits vs. Unverified Commits on GitHub
GitHub marks verified commits with a green checkmark, while unverified commits lack this indicator. Verified commits help the community trust that the code truly comes from you, as opposed to an unverified commit that could potentially be from an unknown source.
Verified Commit(Singed Commit)
Unverified Commit(Unsinged Commit)
3. Installing GPG on Ubuntu 22.04 LTS
To create signed commits, we’ll first need to install GPG if it’s not already available.
- Update Your System:
sudo apt update && sudo apt upgrade
- Install GPG:
sudo apt install gnupg
After installation, verify GPG is set up by running:
gpg --version
4. Generating a GPG Key and Configuring GitHub
With GPG installed, let’s generate a GPG key to use for signing our commits.
- Generate GPG Key:
gpg --full-generate-key
Follow the prompts to create a new GPG key.
- List GPG Key with Key IDs:
gpg --list-secret-keys --keyid-format LONG
Note down your YOUR-KEY-ID from the output as it will be needed in later steps.
- Export Public Key:
gpg --armor --export YOUR-KEY-ID
You will get the output like this
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGDk5hYBDADREGoVv09axWfq8ynIrFg2hcTftbI+HC67F8lJmgG/E6b7d7zI
eLPQKZQyBq+Xt8shP6R6PoZW9hwn6/Zx3zgCH5pg5V6gXLvR9B9xYQeQhBoRqr1V
BBVsk5ZC9Hj5+7nHwROtTiErqkFHDtnGyvgFTDrsdz2Kr23uqxVfXHQ6n3Tq5zQb
cF9LKzhtgX19djgJ9FRzAq8yxEz9Rx6JYOHROTx2/TJzrW0AHBpb5ka5Tt/9hD6a
zr7FSINWnGGn7EZVbdzViNO/sr84jsFTULgl29asZcEQZNEzr7BdWf+jDLKE8Yve
PNEcZWQkDd8XXZ5qTt3gMlKuY9NohXbcw6/dnhFVx4HZlI6z9RzLvKPzZvjhcDjX
YvYDbNFlMqz0FMOZ+x+AF2Rl3/KMoMa4N5L/CKU93QyRQhdj5knVsNlGYlJp1IEu
RQ1HlZli9L5Vb3Ylye3BNUdPjpxNHGxq1aGy7jeTuf1CjLg6Ra8knL98ToApdmkg
poeYb4vwE7Vv8pzrmbIl3g/OBwQJ2Y8ctQJJABEBAAG0J1Rlc3QgVXNlciA8dGVz
dC51c2VyQGV4YW1wbGUuY29tPokB1AQTAQoAPhYhBHRlc3RLZXlpZCBuQ2jP8g3J
ZX5TfJRo8TVDBwDTUEIBZUh3oRhy9u2iNU+xjIJi9f+xvW6OgY8yFxyu3YX+JKyO
Ahgqxr1gYxKUt3LwDdRMCwOwNzRUuUVvCCBLdygPfntUB8Q1Zk10/kz4ik2I/Y0A
...
z9HsMcDJFSukmowVczmM1TtE2XjggRyeNQD9MZixzA==
=s9dK
-----END PGP PUBLIC KEY BLOCK-----
Copy the output and proceed to add this GPG key to GitHub.
-
Add GPG Key to GitHub Account:
- Go to GitHub > Settings > SSH and GPG keys.
- Click New GPG Key and paste your public key.
5. Configuring Git on Ubuntu to Sign Commits
After adding the GPG key to GitHub, configure Git on Ubuntu to use this key for signing commits.
- Configure Git with Your GPG Key:
git config --global user.name "YOUR-NAME"
git config --global user.email "YOUR-EMAIL"
git config --global user.signingkey YOUR-KEY-ID
git config --global commit.gpgsign true
git config --global tag.gpgsign true
- You'll get the path
which gpg
or
where gpg
git config --gloal tag.program "path"
- List Global Git Configuration (Optional):
git config --global --list
This step verifies that all settings are configured properly.
6. Creating Signed Commits
With everything set up, you’re ready to create signed commits that will be marked as verified on GitHub.
Making a Signed Commit:
git commit -S -m "Your commit message"
- The
-Sflag ensures the commit is signed.
Since we configured Git to sign all commits globally, you can also commit without the -S flag:
git commit -m "Your commit message"
After pushing the commit, it will automatically be signed, and you should see a “Verified” badge on GitHub.
Thanks for reading Engineers!
Top comments (0)