Today I learned how I can check the commits attributed to my account are not touched by malicious actors.
The idea is that you can generate a GPG key first, then add this key to your GitHub account, finally add an extra -S
option whenever you make a commit. With the above steps,
you can see the Verified
and Unverified
status along with your commits.
Steps #
- Install
gpg
andpinentry-mac
binaries
brew install gpg pinentry-mac
- Generate a new
gpg
key
gpg --full-gen-key
- Follow the prompt messages to finish steps ()
Check details here
- Get the
gpg
key id
gpg --list-secret-keys
- Get the public key
gpg --armor --export YOUR_KEY_ID
Configure the public key to your git host
Configure git locally
git config --global gpg.program gpg
git config --global user.signingkey YOU_KEY_ID
- Configure
gpg-agent
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
- Restart
gpg-agent
killall gpg-agent
- Sign your commits whenever you commit
git commit -m "message" -S
(Optional) 11. Configure globally to sign all your commits
git config --global commit.gpgsign true
(Optional) 12. Back up your gpg keys
- Exporting
gpg --export --armor > gpg.keys.backup
- Importing
gpg --import gpg.keys.backup
That's it! Protect your repository with easy 10 steps 🤩!
🙏🙏🙏 Since you've made it this far, sharing this article on your favorite social media network would be highly appreciated 💖! For feedback, please ping me on Twitter.
Published