Verified Commits - GPG

GPG (GNU Privacy Guard) allows you to sign your Git commits, providing verification that the commits actually came from you. This adds an extra layer of security and authenticity to your code contributions.

taken from github

List Keys

To see your existing GPG keys:

gpg --list-secret-keys --keyid-format=long

This will display all your secret keys with their IDs.

Generate Key

If you don't have a GPG key yet, generate one:

gpg --full-generate-key

Follow the prompts to create your key. GitHub recommends using:

RSA and RSA (default)
4096 bits
Key does not expire (or set an expiration date)

Configure Git

After generating your key, configure Git to use it:

# Get your GPG key ID
gpg --list-secret-keys --keyid-format=long

# Configure Git with your key ID
git config --global user.signingkey YOUR_KEY_ID

# Enable commit signing by default
git config --global commit.gpgsign true

Add GPG Key to GitHub

Export your public GPG key:

gpg --armor --export YOUR_KEY_ID

Copy the output (including the BEGIN and END lines)
Go to GitHub Settings → SSH and GPG keys
Click "New GPG key"
Paste your public key and save

Verify Commits

After setup, your commits will show as "Verified" on GitHub. You can verify a commit locally:

git log --show-signature

Troubleshooting

If you're having issues, make sure:

Your Git email matches the email in your GPG key
GPG is properly installed and accessible
Your GPG key hasn't expired

For more detailed information, see the GitHub documentation.

Conclusion

Signing your commits with GPG adds credibility and security to your Git workflow. While it requires some initial setup, it's a valuable practice for any serious developer.