How to Verify Your Git Commits with GPG: A Step-by-Step Guide

Source: Dev.to

In the world of open source and collaborative development, identity is everything. When you see a commit from torvalds on the Linux kernel, how do you know it’s actually Linus Torvalds and not an impersonator?
The answer is GPG signing.

By signing your commits with a GPG (GNU Privacy Guard) key, you cryptographically verify that the code came from you and hasn’t been altered. GitHub (and GitLab) rewards this with a shiny green “Verified” badge.

1. Install GPG

macOS (Homebrew)

brew install gnupg

Linux (Debian/Ubuntu/Pop!_OS)

sudo apt install gnupg

Windows

Download and install Gpg4win.

2. Generate a GPG Key

gpg --full-generate-key

You will be prompted for:

• Kind of key: (1) RSA and RSA (default)
• Key size: 4096
• Expiration: 0 (key does not expire) – adjust if your policy requires it
• Real Name: your full name
• Email Address: must match the email address verified on GitHub
• Passphrase: a strong password to protect the private key

3. Get Your Key ID

List your secret keys to find the long‑format Key ID:

gpg --list-secret-keys --keyid-format LONG

Example output:

sec   rsa4096/3AA5C34371567BD2 2024-01-01 [SC]
      …
uid                 [ultimate] John Doe 

In this example, 3AA5C34371567BD2 is the Key ID you will use.

4. Tell Git About Your Key

Set the signing key globally:

git config --global user.signingkey 3AA5C34371567BD2

(Replace 3AA5C34371567BD2 with your actual Key ID.)

Enable automatic signing for all commits (recommended):

git config --global commit.gpgsign true

5. Add Your Public Key to GitHub

1. Export the public key:

   gpg --armor --export 3AA5C34371567BD2

2. Copy the entire output, including the BEGIN and END lines.

3. In GitHub, go to Settings → SSH and GPG keys → New GPG key, paste the key, and save.

6. Verify It Works

Create a signed commit:

git commit -m "My first signed commit"

Push the commit to GitHub. You should see a Verified badge next to the commit in the repository’s history.

Troubleshooting

• “Unverified” badge: Ensure the email set in git config user.email matches the email embedded in your GPG key and that the same email is verified in your GitHub account settings.