Recently I set up personal repositories on a work laptop, using a separate git config. As I was configuring the "personal" git config, I couldn't remember how to enable signed commits for committing to GitHub-hosted repositories.
I do have an old Tweet about this, but I figured I might as well turn this into a quick blog post.
Note: this is specific to GitHub, which has signed commits docs spread across multiple pages of their documentation. For reference, Gitlab has an single-page guide, which looks much easier to follow.
Step 1: Generate GPG keys
$ sudo apt install gnupg $ gpg --gen-key
Fill in your name and email, optionally set a pass phrase.
Step 2: Let git know
See this GitHub docs page:
$ gpg --list-secret-keys --keyid-format=long <EMAIL>
sec line and grab thelong form, which begins after the slash
sec rsa3072/<GPG_KEY_ID> 2022-07-02 [SC] [expires: 2024-07-01]
Add it to your global git config, at
~/.gitconfig. For me,
/.gitconfig-florimondmanca (my personal git config) now looks like this:
[user] name = florimondmanca email = <EMAIL> signingkey = <GPG_KEY_ID> [commit] gpgsign = true
commit.gpgsign = true enables auto-signing of git commits.
Step 3: Add GPG key to GitHub
Generate the GPG public key from the long form GPG key ID:
$ gpg --armor --export <GPG_KEY_ID>
Copy the output, then add it to your GitHub account.
Should be all set. Now try pushing a commit, and you should see that green "Verified" badge on commits or pull requests.