Today I learned how I can check the commits attributed to my account are not touched by malicious actors.
The idea is that you can generate a GPG key first, then add this key to your GitHub account, finally add an extra
-S option whenever you make a commit. With the above steps,
you can see the
Unverified status along with your commits.
brew install gpg pinentry-mac
- Generate a new
- Follow the prompt messages to finish steps ()
Check details here
- Get the
- Get the public key
gpg --armor --export YOUR_KEY_ID
Configure the public key to your git host
Configure git locally
git config --global gpg.program gpg
git config --global user.signingkey YOU_KEY_ID
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
- Sign your commits whenever you commit
git commit -m "message" -S
(Optional) 11. Configure globally to sign all your commits
git config --global commit.gpgsign true
(Optional) 12. Back up your gpg keys
gpg --export --armor > gpg.keys.backup
gpg --import gpg.keys.backup
That's it! Protect your repository with easy 10 steps 🤩!
🙏🙏🙏 Since you've made it this far, sharing this article on your favorite social media network would be highly appreciated 💖! For feedback, please ping me on Twitter.