Github verified commits

/ Work

Emails, texts, and other messages can be verified using GPG (GNU Privacy Guard) signatures, among other methods. The first thing to note is that the project was given the name G10 in recognition of the Federal Republic of Germany's constitution's Tenth Amendment.

It is specifically used to sign git-commits and to validate work on GitHub from reliable collaborators.

Okay, let's take a look at how GPG is applied to GitHub, GitLab, and other platforms for commit verification.

How to configure a Git verification with GPG

1. Install a GPG by downloading it from the project's website or using Brew.

Create a key by opening a terminal (on Windows, use Git Bash).

gpg --full-generate-key

 

Select the 4096 size, RSA type, and expiration date.

The email you enter must match the one you used to create your GitHub account.

3. Print the list of keys and make a copy of the fingerprint ID for the generated key.

gpg --list-secret-keys --keyid-format LONG

 
Marked section is the ID of PGP-key that represents the ending of its fingerprint
Marked section is the ID of PGP-key that represents the ending of its fingerprint

4. Export the key in ASCII format with its ID.

gpg --armor --export 3AA5C34371567BD2

Generated PGP-key
Generated PGP-key

After that, you can sign any committed work via Terminal:

git commit -S -m your commit message # Creates a signed commit

The -S flag means a signed commit. You may be asked for the code phrase you entered on PGP-key generation.

How to set up GPG verification at the GitHub Desktop

The official GitHub Desktop application does not support GPG signing, but there is a way to add the feature manually.

Ask a git client to sign all commits and tell him the key.

 

git config --global commit.gpgsign true git config --global user.signingkey 3AA5C34371567BD2

 

Add the no-tty option to the GPG configuration file and specify the program location

For macOS

echo "no-tty" >> ~/.gnupg/gpg.conf git config --global gpg.program /usr/local/bin/gpg

 

For Windows

sed -i '/^no-tty/d' ~/.gnupg/gpg.conf git config --global --unset gpg.program

 

For now, all commits created via GitHub Desktop will be signed and verified. The client can ask you for a GPG-key code phrase with the first commit.

notion image

The commit was made by a verified collaborator.

The instructions for GitLab are quite similar.

 
Mahendra Rathod
Developer from 🇮🇳
@maddygoround
© 2024 Mahendra Rathod · Source