There are many possible ways to do this. This is what worked for me in October 2022, on a recent (M1) mac with zsh, homebrew, and a recent version of git.
The first section below is required to get the basics working. All others are optional.
brew install gnupg
gpg --generate-key # when prompted, enter the same email address you us for commits
keyid=$(gpg --list-secret-keys --with-colons | awk -F: '$1 == "sec" {print $5}')
git config --global user.signingkey $keyid
echo 'export GPG_TTY=$TTY' >> ~/.zshrc
exec zsh
git config --global commit.gpgsign true
brew install pinentry-mac
echo "pinentry-program $(which pinentry-mac)" > ~/.gnupg/gpg-agent.conf
pkill -SIGHUP gpg-agent
echo "test" | gpg --clearsign
This will pop up a window where you should enter your passphrase, making sure to select the option to store it in the keychain.
This makes it so your commits appear verified in github.
pbcopy < <(gpg --armor --export $keyid)
Then go to github.com/settings/keys, add a GPG key, and paste it.
git show [ref] --show-signature
- Edit your
.gitconfig
file - Add an
[alias]
section if not already present - Under that section, add the following:
la = log --color --graph --pretty=format:'%C(red bold)%h%Creset%C(yellow bold)%d%Creset %C(green bold)(%cr)%Creset %C(white)%s%Creset %C(magenta bold)<%
an> %Creset%C(magenta dim)(%ar, sig=%G?)%Creset' --abbrev-commit --author-date-order
Use this alias via:
git la [ref]
Notice how the end of each line has sig=code
, where code is as documented here:
"G" for a good (valid) signature, "B" for a bad signature, "U" for a good signature with unknown validity, "X" for a good signature that has expired, "Y" for a good signature made by an expired key, "R" for a good signature made by a revoked key, "E" if the signature cannot be checked (e.g. missing key) and "N" for no signature
If you use github, some commits to your repo that are done interactively on the web may be signed by them. They will show up as "E" (signature can't be checked) because you don't have github's public key imported yet. You can remedy that with:
curl https://github.com/web-flow.gpg | gpg --import
...which should cause such commits to show up as "U" because the validity is unknown. If you want to validate it, you can sign the key via:
pubkeyid=$(gpg --list-keys | grep -B 1 web-flow | head -1 | awk '{print $1}')
gpg --lsign-key $pubkeyid
Now the commits will show up as "G" because the signature is considered valid.