(portions from https://gist.github.com/xavierfoucrier/c156027fcc6ae23bcee1204199f177da https://gist.github.com/Shinrai/63eb85c7e89715a5d2dc9bee0301a8ac )
You can now signed your commits on Github using at least Git 2.18.0 and Github Desktop 1.6.1.
-
Generate a GPG key and add it to Github: https://help.github.com/articles/generating-a-new-gpg-key (if you don't want to type a passphrase on every commit, you need to press "Enter" when the console will prompt you to type a passphrase)
-
Configure Git properly by editing the
.gitconfig
file using the command linegit config --global --edit
in a terminal, then replace YOUR_GITHUB_EMAIL, YOUR_SIGNING_KEY and GPG_BINARY_PATH with your data
[user]
name = Xavier Foucrier
email = YOUR_GITHUB_EMAIL
signingkey = YOUR_SIGNING_KEY
[gpg]
program = GPG_BINARY_PATH
[commit]
gpgsign = true
- YOUR_GITHUB_EMAIL: the email address used to login on Github
- YOUR_SIGNING_KEY: the GPG key used to sign commits, should follow the GPG key ID convention, like this example: https://help.github.com/articles/telling-git-about-your-signing-key/#telling-git-about-your-gpg-key-1
- GPG_BINARY_PATH: the GPG binary file path, depending on your Git install and your operating system:
- Windows:
gpg.exe
orC:\Program Files\Git\usr\bin\gpg.exe
(can be found usinggcm gpg
in a terminal) - Mac or Linux:
gpg
or/usr/local/bin/gpg
(can be found usingwhich gpg
in a terminal)
- Windows:
Note that you can temporary disable GPG signed commits by setting
gpgsign = false
in your.gitconfig
file withgit config --global commit.gpgsign false
If a commit to a PR is marked with unverified badge in a PR, first check the following:
- Your GPG key must have an email address in it that is the same email address as you use to login to GitHub.
- That GPG key must be uploaded to GitHub.
- Your commit must be signed with
git commit -S -m "message"
git rebase -i -s
git checkout -b patch-1 master
git checkout master
git rebase --exec 'git commit --amend --no-edit -n -S' -i patch-1
git push origin master
Other approaches at https://superuser.com/questions/397149/can-you-gpg-sign-old-commits