This short article, is on how to get set up Github, so all of your commits are marked with the little "verified" badge.
Why should I do this?
Thats a really good question. When you commit a change with Git, it accepts as author whatever value you want. This means you could claim to be whoever you want when you create a commit.
To make GitHub believe that for eg. Eddie Jaoude contributed to my project I just had to run
git config user.name and
git config user.email with values that match Eddie's.
This leads to the problem, that we have no guarantee that:
- The author of the code is really the person whose name is on the commit
- The code change you see is really what the author wrote and its not somehow tampered.
To avoid this sign your Git commits, so you prove that you were the author of this code change. On top it also gives you the ability to ensure that no one can modify your commit.
Difference between signed-off and signed
Just add the Signed-off-by line to commit messages.
This is my commit message Signed-off-by: Super Cool Dev <email@example.com>
You can use the
git command line option
-s to append this automatically to your commit message:
git commit -s -m 'This is my commit message'
git commit --amend -s
if you already committed your changes.
Git Signed-off-by simply adds a line to your commit message with your name and email address. The idea is to show that you have the permission to submit it, and you adhere to the project licensing. A project will state that the Signed-off-by says you agree to the Developer Certificate of Origin (DCO). See the DCO github action
Git provides the possibility to verify that commits came from trusted source using the GNU Privacy Guard (GPG).
Set up GPG
If you don't have GPG, you need to install it. Check that the installation was successfully with
gpg --version gpg (GnuPG) 2.3.3 libgcrypt 1.9.4 ... `
If you don't have already GPG key, you can generate a new GPG key. The steps are fairly easy and very good described in the GitHub docs
Now we create the public and private key files via following commands:
gpg --export -a "key-id" > public.key gpg --export-secret-key -a "key-id" > private.key
The key-id you can get easy, with the command:
gpg --list-secret-keys --keyid-format=longsec ed25519/<KEYID> 2021-11-13 [SC]
now import them via:
gpg --import public.key gpg --import private.key
Set up Git
Now we can configure Git to use our signing key ID. It’s an alphanumeric string that can be found with
gpg --list-signatures (check the line starting with
git config --global user.signingkey <signing key ID>
And configure Git to sign commits per default, so we don’t always have to add the -s flag in the command line:
git config --global commit.gpgsign true
and, very important, set the path to the gpg program:
git config --global gpg.program /usr/local/bin/gpg
Set up GitHub
If you not already did this, you need to configure your account on GitHub.com to use your new (or existing) GPG key.
We use following command
gpg --armor --export <KEYID>
cat (or other tool) public.key
and copy the content to your clipboard.
Check the official docs for the steps in the UI to upload but in the end you should see this:
Bonus: Set up VSCode
Open the settings, search for “gpg” and check the box “Enables commit signing with GPG”.
Bonus: Set up IntelliJ
Start IntelliJ IDEA (or restart it to make sure it loads the changes you've made to your environment).
In the Settings/Preferences dialog ⌘ ,, go to Version Control | Git, and click the Configure GPG Key button.
In the dialog that opens, click Sign commits with GPG key and select the key you want to use from the list.
Now your every commit will be signed with the selected key.
amend for sign-off
If you see on a MacOS system:
error: gpg failed to sign the data fatal: failed to write commit object
brew install pinentry-mac and set the in terminal profile the env variable
plus change the location of the pinentry-program to
change or add:
Test that the pinentry UI pops up with
echo GETPIN | pinentry-mac
Additional config for Linux and macOS
You can enable the GPG agent to avoid having to type the secret key’s password every time.
Add this line to
~/.gnupg/gpg.conf (you may need to create the file):
If everything works well, you should see the green
verified badge, like this