It has been a month since I started thinking about signing my commits. When I first noticed “Verified” tags on GitHub, I realized that I need those even if I am not committing files from the web interface.
My first attempt failed completely, as I couldn’t put all pieces of the puzzle together. So now I am returning with a no-bullshit guide, straight to the point: how to sign your commits (mostly MacOS only).
- GPG Suite – download, setup, generate a key
gpg --list-secret-keys --keyid-format LONG [email protected]– list all keys for your emailgpg --armor --export ABCDEFGHE123123123– copy the key from the previous command (it will have something in the lines of BEGIN/END), and you put it in GPG Keys on your git hosting (GitHub, GitLab, etc.)git config user.signingkey ABCDEFGHE123123123– this is how you add a key to a local repository; you can add it globally, if you want, but I prefer to keep it repo-specific, because I sometimes use different emailsgit config commit.gpgsign true– enable commits signing (it might ask for the key’s password)git commit -S– this is how you enable signing for a specific commit, but it will work regardless, if you did the previous step (it will also work in Sublime Merge, Sourcetree and other git clients)git log --show-signature– check git logs before pushing the commits
And that’s it, now you have your commits Verified.