How to sign your commit?

Today I learned how I can check the commits attributed to my account are not touched by malicious actors.

The idea is that you can generate a GPG key first, then add this key to your GitHub account, finally add an extra -S option whenever you make a commit. With the above steps,
you can see the Verified and Unverified status along with your commits.
An image

Steps #

  1. Install gpg and pinentry-mac binaries
brew install gpg pinentry-mac
  1. Generate a new gpg key
gpg --full-gen-key
  1. Follow the prompt messages to finish steps ()

Check details here

  1. Get the gpg key id
gpg --list-secret-keys
  1. Get the public key
gpg --armor --export YOUR_KEY_ID
  1. Configure the public key to your git host

  2. Configure git locally

git config --global gpg.program gpg
git config --global user.signingkey YOU_KEY_ID
  1. Configure gpg-agent
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
  1. Restart gpg-agent
killall gpg-agent
  1. Sign your commits whenever you commit
git commit -m "message" -S

(Optional) 11. Configure globally to sign all your commits

git config --global commit.gpgsign true

(Optional) 12. Back up your gpg keys

gpg --export --armor > gpg.keys.backup
gpg --import gpg.keys.backup

That's it! Protect your repository with easy 10 steps 🤩!

🙏🙏🙏 Since you've made it this far, sharing this article on your favorite social media network would be highly appreciated 💖! For feedback, please ping me on Twitter.

Published