How to sign your commit?

Today I learned how I can check the commits attributed to my account are not touched by malicious actors.

The idea is that you can generate a GPG key first, then add this key to your GitHub account, finally add an extra -S option whenever you make a commit. With the above steps,
you can see the Verified and Unverified status along with your commits.

Steps #

1. Install gpg and pinentry-mac binaries

brew install gpg pinentry-mac

2. Generate a new gpg key

gpg --full-gen-key

3. Follow the prompt messages to finish steps ()

Check details here

4. Get the gpg key id

gpg --list-secret-keys

5. Get the public key

gpg --armor --export YOUR_KEY_ID

6. Configure the public key to your git host

7. Configure git locally

git config --global gpg.program gpg
git config --global user.signingkey YOU_KEY_ID

8. Configure gpg-agent

echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf

9. Restart gpg-agent

killall gpg-agent

10. Sign your commits whenever you commit

git commit -m "message" -S

(Optional) 11. Configure globally to sign all your commits

git config --global commit.gpgsign true

(Optional) 12. Back up your gpg keys

• Exporting

gpg --export --armor > gpg.keys.backup

• Importing

gpg --import gpg.keys.backup

That's it! Protect your repository with easy 10 steps 🤩!

🙏🙏🙏 Since you've made it this far, sharing this article on your favorite social media network would be highly appreciated 💖! For feedback, please ping me on Twitter.

Published 13 May 2021