7.4 KiB
title | description | date | lastmod | draft | noindex | nav_weight | series | categories | tags | images | authors | |||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
How To Create 'Verified' (Sign) Git Commit Using SSH or GPG Signature (Linux) | How to add a 'Verified' commit message to GitHub using SSH Signing Key or GPG Signing Key, step by step. | 2023-10-26T10:33:43+07:00 | false | false | 1000 |
|
|
|
How to add a "Verified" commit message to GitHub using SSH Signing Key or GPG Signing Key.
If you often visit the commit history page of a GitHub repository, you may find that there are some commit messages with "Verified" badge, unlabeled, or even "Unverified" with an orange colored badge.
This feature on GitHub indicates that the commit or tag comes from an authentic source and has been verified by GitHub. This is important so that other users who use the repository are sure that the changes made to the repository are indeed from verified sources.
Until this article was written, there were 3 ways to sign the commit message: by using GPG signature, SSH signature, and S/MIME signature. From those three methods, I want to share my experience using the GPG and SSH signatures method to signing commit.
To follow steps in this article, make sure that your current Git configuration is working without any problems. If you have never set up Git, follow my previous article: [How To Use Git Using SSH Protocol For GitHub]({{< ref "/tutorials/how-to-use-git-using-ssh-protocol-for-github/index.md" >}}).
Using SSH key signature
The easiest way is using the SSH signature method. You can use the SSH key that you already use for the Authentication key and upload the same public key to use as the Signing key.
Note: To use the SSH Key Signature method, you need to use Git
2.34
and above.
Adding SSH key as signing key
To add an SSH key as a Signing key in your GitHub account:
- Go to "Settings" > "SSH and GPG keys" > Click the "New SSH key" button.
- Fill in "Title" with whatever you can easily remember to identify your SSH key.
- In the "Key type" section, select "Signing Key".
- Finally return to the terminal and paste the contents of SSH public key into textarea "Key". After that, click the Add SSH key" button.
Change the Git configuration on your local computer
After the SSH Signing key has been added to your GitHub Account, you need to change the Git gpg.format
configuration value to ssh
by running the following command:
git config --global gpg.format ssh
Finally, update the user.signingkey
config and enter the location where the SSH PUBLIC KEY that you have uploaded is:
git config --global user.signingkey ~/.ssh/github_key.pub
Note: Change
~/.ssh/github_key.pub
with the actual location your PUBLIC KEY is stored.
Using GPG key signature
You can use GPG Key Signature to sign commit messages.
Generating GPG key
If you don't have a GPG key pair yet, you can create one by running the following command:
gpg --full-generate-key
After executing the command above, you will be asked to complete the information, including:
- Type: Choose any, I recommend just using the default:
RSA and RSA
. - Key size: Fill in between 1024 and 4096. Default 3072. I recommend using
4096
. - How long the GPG key is valid: I recommend using the default (
0
, no expiration date). - Enter Name and email information. Pay attention when filling in email information, make sure the email you enter is the same as the email you use on GitHub.
- Enter
passharse
your GPG key.
Example output from the gpg --full-generate-key
command:
gpg (GnuPG) 2.2.41; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Jasmerah1966
Email address: jasmerah1966@example.com
Comment: GPG sign key untuk GitHub
You selected this USER-ID:
"Jasmerah1966 (GPG sign key untuk GitHub) <jasmerah1966@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/home/jasmerah1966/.gnupg/openpgp-revocs.d/F5FEE1EF836C62F5361A643B156C485C2EB2C1D6.rev'
public and secret key created and signed.
pub rsa4096 2023-10-23 [SC]
F5FEE1EF836C62F5361A643B156C485C2EB2C1D6
uid Jasmerah1966 (GPG sign key untuk GitHub) <jasmerah1966@example.com>
sub rsa4096 2023-10-23 [E]
Getting your GPG keys information
To see your GPG key list (having a secret key), you can run the following command:
gpg --list-secret-keys --keyid-format=long
Example output from the command above:
/home/jasmerah1966/.gnupg/pubring.kbx
-------------------------------------
sec rsa4096/156C485C2EB2C1D6 2023-10-23 [SC]
F5FEE1EF836C62F5361A643B156C485C2EB2C1D6
uid [ultimate] Jasmerah1966 (GPG sign key untuk GitHub) <jasmerah1966@example.com>
ssb rsa4096/04951FB42332019F 2023-10-23 [E]
Then run the following command to get the GPG key in ASCII armor format:
gpg --armor --export 156C485C2EB2C1D6
Note: Change my key ID above (
156C485C2EB2C1D6
) with your key ID.
Copy your GPG key (starting from -----BEGIN PGP PUBLIC KEY BLOCK-----
to -----END PGP PUBLIC KEY BLOCK-----
) which after this step, you need to add to your GitHub account.
Adding GPG to Your GitHub Account
- Go to "Settings" > "SSH and GPG keys" > Click the "New GPG key" button.
- Fill in "Title" with whatever you can easily remember to identify your GPG key.
- Enter your GPG key into textarea "Key". After that, click the Add GPG key" button.
Signing your commit
If it has been set correctly, you can commit with the command git commit -S
or git commit -S -m 'Your commit message'
For signing with S/MIME I have never had the opportunity to try. Maybe if anyone wants to add it, please add it by doing a pull request.
I hope this helps.