Skip to content

Instantly share code, notes, and snippets.

@nepsilon
Last active June 30, 2017 22:21
Show Gist options
  • Save nepsilon/111f800157b1d6b938b693d897ab0e35 to your computer and use it in GitHub Desktop.
Save nepsilon/111f800157b1d6b938b693d897ab0e35 to your computer and use it in GitHub Desktop.
How and why to sign your commits with GPG? — First published in fullweb.io issue #105

How and why to sign your commits with GPG?

When a team signs their commits, it’s easy to verify the commits are actually from the team members.

If you don’t have a GPG key yet, generate one with gpg --gen-key. Enter the info at the prompt, and then type gpg --list-secret-keys --keyid-format LONG to view your key info. At the line starting with sec, the string between the / and the space is your PUBLIC_KEY_ID. Note it down, and add run the following command to instruct git to use it:

git config user.signingkey PUBLIC_KEY_ID
git config gpg.program gpg
git config commit.gpgsign true

From now on, when you commit in that repo (or every repo if you used git config --global) you commits will be signed and verified.

Next, upload your public key to GitHub to see your commit marked as "Verified". You can see your public key with the command gpg --armor --export PUBLIC_KEY_ID.

@mayeenulislam
Copy link

A helpful link, if anybody need:
https://stackoverflow.com/a/36811656/1743124

@nepsilon
Copy link
Author

Thanks @mayeenulislam, I just updated the gist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment