How to Do Verified Commits on GitHub

How to Do Verified Commits on GitHub

Step-by-Step Guide to Adding Verified Badges to GitHub Commits

ยท

4 min read

Have you ever wished your GitHub commits could have that prestigious "verified" badge, similar to the coveted blue tick on social media? While I can't help with Instagram verification, I can guide you through the process of verifying your GitHub commits. Verified commits not only add authenticity and security to your work but also showcase your professionalism. Let's dive in and get your commits verified!

What Are Verified Commits?

Verified commits are a way to ensure that the changes pushed to a repository are genuinely from you and haven't been tampered with by someone else. GitHub uses GPG (GNU Privacy Guard) to sign commits and tags, adding a layer of security and authenticity to your contributions.

Below is an example of how a verified commit looks. Example of a verified commit

Why Should You Use Verified Commits?

  • Authenticity: Assures your collaborators and users that your commits are genuinely from you.
  • Security: Prevents unauthorized changes and tampering.
  • Professionalism: Adds credibility to your open-source projects.

The Problem with Unverified Commits

One significant issue with unverified commits is that anyone can pretend to be you by simply changing the git config settings. For example, someone can set their user.name and user.email to your details and make commits that appear to come from you. Without verification, these commits can mislead collaborators and compromise the integrity of your project.

An Example Scenario

Consider a situation where a friend makes a commit using your name and email address:

git config user.name "Your Name"
git config user.email "your.email@example.com"

Below commit was made using my friend's details from my account. Example commit using my friends details

This commit will appear to be from you, but since you use verified commits, it will be tagged as Unverified on GitHub. This visual cue helps distinguish between genuine and potentially spoofed commits.

By using verified commits, you can ensure that only commits genuinely made by you carry the "Verified" badge, enhancing trust and authenticity.

How to Get Started with Verified Commits

Step 1: Install GPG

First, you need to install GPG on your system.

Windows: Download and install Gpg4win. macOS: Use Homebrew to install GPG.

brew install gnupg

Linux: Use your package manager.

sudo apt-get install gnupg

Step 2: Check Existing GPG Keys

Before generating a new GPG key, check if you already have one.

gpg --list-secret-keys --keyid-format LONG

This command lists all the GPG keys available on your system along with their details. If you find an existing key you'd like to use, you can skip to adding this key to GitHub.

Step 3: Generate a GPG Key

If you don't have an existing GPG key or want to create a new one, generate a new GPG key.

gpg --full-generate-key

Follow the prompts to set up your key. Choose RSA and RSA (default), key size of 4096 bits, and set a validity period if you prefer. Enter your name and email address (use the same email address associated with your GitHub account).

Step 4: Retrieve Your GPG Key ID

After generating the key, retrieve your GPG key ID.

gpg --list-secret-keys --keyid-format LONG

You'll see an output similar to this:

/home/user/.gnupg/secring.gpg
------------------------------
sec   4096R/ABC123456789DEF0 2024-01-01 [expires: 2025-01-01]
uid                          Your Name <your.email@example.com>
ssb   4096R/0987654321ABCDEF 2024-01-01

Copy the long string after sec (in this case, ABC123456789DEF0).

Step 5: Add Your GPG Key to GitHub

Export your GPG key and add it to your GitHub account.

gpg --armor --export ABC123456789DEF0

Copy the output and go to GitHub > Settings > SSH and GPG keys > New GPG key. Paste the key there and save it.

Step 6: Configure Git to Use Your GPG Key

Tell Git to sign your commits with your GPG key.

git config --global user.signingkey ABC123456789DEF0

To sign all your commits by default, add this to your global Git configuration.

git config --global commit.gpgSign true

Step 7: Verify Your Signed Commits

Now, every time you commit, Git will sign the commit with your GPG key. You can verify that your commits are signed and verified on GitHub by looking for the "Verified" badge next to your commits.

Troubleshooting

If you encounter issues, ensure that your GPG key is correctly associated with your GitHub email and that you've configured Git correctly. You may also need to cache your GPG passphrase to avoid entering it every time you commit.

echo "use-agent" >> ~/.gnupg/gpg.conf
echo "default-cache-ttl 28800" >> ~/.gnupg/gpg-agent.conf
echo "max-cache-ttl 28800" >> ~/.gnupg/gpg-agent.conf

Restart the GPG agent to apply the changes.

gpgconf --kill gpg-agent
gpgconf --launch gpg-agent

Conclusion

Adding GPG signatures to your commits is a great way to enhance the security and authenticity of your contributions on GitHub. It assures others that your work is genuinely yours and hasn't been tampered with. Follow these steps to get your commits verified and add that extra layer of credibility to your projects.

ย