Sign your commits

It has been a month since I started thinking about signing my commits. When I first noticed “Verified” tags on GitHub, I realized that I need those even if I am not committing files from the web interface.

My first attempt failed completely, as I couldn’t put all pieces of the puzzle together. So now I am returning with a no-bullshit guide, straight to the point: how to sign your commits (mostly MacOS only).

• GPG Suite – download, setup, generate a key
• gpg --list-secret-keys --keyid-format LONG [email protected] – list all keys for your email
• gpg --armor --export ABCDEFGHE123123123 – copy the key from the previous command (it will have something in the lines of BEGIN/END), and you put it in GPG Keys on your git hosting (GitHub, GitLab, etc.)
• git config user.signingkey ABCDEFGHE123123123 – this is how you add a key to a local repository; you can add it globally, if you want, but I prefer to keep it repo-specific, because I sometimes use different emails
• git config commit.gpgsign true – enable commits signing (it might ask for the key’s password)
• git commit -S – this is how you enable signing for a specific commit, but it will work regardless, if you did the previous step (it will also work in Sublime Merge, Sourcetree and other git clients)
• git log --show-signature – check git logs before pushing the commits

And that’s it, now you have your commits Verified.