Sign language for the letter W
Published on

Verifying your GitHub commits


Have you ever looked a PR in GitHub and noticed that some commits have a Verified chip and some don't? And that it's usually the PR merges that do? What gives?

Well it turns out that you are able to sign your commits with PGP to verify that you actually committed them! It's easy to set different details when authoring a commit:

git commit --author="Not Matt Wicks <[email protected]>"
Setting the author of a commit is rather easy

Let's not jump to the conclusion that this is a universally bad thing - there are valid reasons when you want to commit something in someone else's name. For example, at SSW we are migrating SSW Rules from a SharePoint site to a staticly generated site using Gatsby and GitHub. We want to preserve the history i.e. I wrote or updated a rule, then the commit message should be in my name - that way the history stays intact. Being able to set the author is critical for this to work.

Although, for my recent work - I'd like to let others know it was definitely me who committed the work (good or bad).

How I set it up

The GitHub docs were pretty good but I deviated on a couple of things:

UPDATE: 1Password now does this for me and was much easier to setup -

(BTW I'm on a Mac, I'd love to hear how you got it to work on Windows)

Old way:

  1. Install gnupg2

    brew install gnupg2
    brew link --overwrite gnupg
  2. I didn't like the sound of GPG Suite, so I went for Pinetry for Mac to store the passphrase of the PGP key in the OS keychain

    brew install pinentry-mac
    echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
    killall gpg-agent
  3. Now that the tools are installed, we can generate a PGP key that GitHub can use. You will need to enter your name and email address (make sure they match the ones used in your Git config - don't ask why I know 😉)

    gpg --default-new-key-algo rsa4096 --gen-key
  4. You'll need a passphrase for the PGP key - I recommend using a password manager to generate and store (I use 1Password)

  5. Let's grab the secret's key In the GitHub example: 4096R/3AA5C34371567BD2 we can see that:

    • it's using 4096bit RSA
    • the key is 3AA5C34371567BD2
    $ gpg --list-secret-keys --keyid-format LONG
    sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
    uid                          Hubot 
    ssb   4096R/42B317FD4BA89E7A 2016-03-10
  6. Export and copy the key (make sure to include the -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK-----)

    gpg --armor --export 3AA5C34371567BD2
  7. Go to Github - SSH and GPG Keys and

    1. Click New GPG Key
    2. Paste the key in the textbox
    3. Click Add GPG Key Where to add GPG Keys
  8. Now let's tell Git to sign commits and which PGP key to use

    git config --global user.signingkey 3AA5C34371567BD2
    git config --global commit.gpgsign true
  9. You're done! Commit and push your signed commits!

Hope this helps! Let me know how it goes!