How to Make Verified GitHub Commits

Created by M. Massenzio, 2021-12-24

GitHub has a set of detailed instructions, however, if you know your way around a Linux shell and basic understanding of how keys work, this is a condensed TL;DR version.

Also, with minimal effort it could be automated in a shell script (even uploading the key to GitHub via API).

Here is the sequence of commands, along with the relevant output:

gpg --generate-key

gpg --list-keys
    pub   rsa3072 2021-12-25 [SC] [expires: 2023-12-25]
          A6D*******************************72EE84
    uid           [ultimate] Marco Massenzio <***@****.io>
    sub   rsa3072 2021-12-25 [E] [expires: 2023-12-25]

GPG_KEY=A6D*******************************72EE84
gpg --keyserver keyserver.ubuntu.com \
    --send-keys $GPG_KEY

gpg --list-signatures --keyid-format 0xshort
    pub   rsa3072/0x0B*****4 2021-12-25 [SC] [expires: 2023-12-25]
          A6D*******************************72EE84
    uid           [ultimate] Marco Massenzio <***@****.io>
    sig 3        0x0B*****4 2021-12-25  Marco Massenzio <***@****.io>
    sub   rsa3072/0x4******D 2021-12-25 [E] [expires: 2023-12-25]
    sig          0x0B*****4 2021-12-25  Marco Massenzio <***@****.io>

GPG_ID="0x0B*****4"
gpg --armor --export $GPG_ID

Finally, update your GitHub settings to add the new public GPG key (which was printed out to console with the --export command).

Edit the .git/config local file (or the global one ${HOME}/.gitconfig) to add the identity of the signature:

git config --global commit.gpgsign true
git config --global user.signingkey $GPG_ID

(use --local to only change the settings in the current git repository)

Or you can manually edit the file:

[user]
    name = Marco Massenzio
    email = <<email@example.com>>
    # The value in $GPG_ID
    signingkey = 0x0B*****4

Now, every commit from this user will be marked as verified by GitHub (provided that the configured user’s email matches the GPG Key email).

Incidentally, much of this is needed to publish Maven JARs to Maven Central; this will be the topic for a (much longer) future post.

If you need to understand how to generate GPG keys (and why), there is this post from RedHat which is a good starting point.

One response to “How to Make Verified GitHub Commits”

  1. […] This is done using a GPG key pair, that you will need to create, before publishing the artifact; if you are not familiar with the process GitHub has a series of articles on GPG Keys or you are welcome to just peruse my condensed version. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: