You can sign your commits with a GPG key. Before we continue with generating a GPG key, let's first check if you already have one.
Use the following command to check for any existing GPG keys. This wont list keyid.
$ gpg --list-secret-keys
To list the keyid, you need to specify --keyid-format=short | long option.
$ gpg --list-secret-keys --keyid-format=long
The short format will list shorter version of keyid while long displays the whole ID.
Here's a sample of what the result might look like:
$ gpg --list-secret-keys --keyid-format=long /Users/hubot/.gnupg/secring.gpg ------------------------------------ sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10] uid Hubot <hubot@example.com> ssb 4096R/4BB6D45482678BE3 2016-03-10
If you already have your key that can be used for GitHub, you may skip the next section. You might want to read 'Export the GPG key' part.
Generate a new GPG key
GPG Command Line Tools are not installed on macOS or Windows by default. To install it, visit GnuPG's Download Page
Version check
Check the version of your gpg using gpg --version.
Generate the key
If the version of your gpg is 2.1.17 or greater, use the following command:
$ gpg --full-generate-key
Otherwise, use this command to start the process.
$ gpg --default-new-key-algo rsa4096 --gen-key
Select options and Verify
You will be prompted multiple times by the program. Choose the desired option each time and proceed, or simply press Enter to accept the default selection.
Once you have selected all the options, the program will list your selections for you to double-check. Verify the information, and if everything is correct, proceed, and the GPG key will be generated.
Export the GPG key
Use gpg --list-secret-keys --keyid-format=long to check the key you've just created.
$ gpg --list-secret-keys --keyid-format=long /Users/hubot/.gnupg/secring.gpg ------------------------------------ sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10] uid Hubot <hubot@example.com> ssb 4096R/4BB6D45482678BE3 2016-03-10
Then, use this command to export the GPG key in ASCII-armored format:
$ gpg --armor --export 3AA5C34371567BD2
Copy the generated key and then go to your GitHub account settings.
Navigate to SSH and GPG keys, click New GPG key, and paste the key you just copied.
Now you are ready to sign your commits. In order to do that, you need to adjust couple configurations for the git.
Signing a commit
You're going to need the keyid you just generated.
$ gpg --list-secret-keys --keyid-format=long # example /Users/hubot/.gnupg/secring.gpg ------------------------------------ sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10] uid Hubot <hubot@example.com> ssb 4096R/4BB6D45482678BE3 2016-03-10
In this example, 3AA5C34371567BD2 is going to be the GPG key ID we need.
Setup
Use the following command to set your primary GPG signing key in Git.
git config --global user.signingkey 3AA5C34371567BD2
If you are using a subkey (e.g. 4BB6D45482678BE3), include ! as a suffix.
git config --global user.signingkey 4BB6D45482678BE3!
Sign off
Now you can use -s flag to sign off a commit.
git commit -s -m "commit message"
You can use git log --show-signature to check signed commits.
If you want to re-sign the most current commit, use the following command.
git commit --amend --no-edit -s
But if you want to make this a default behavior, set commit.gpgsign to true. Then you can omit the -s flag.
git config --global commit.gpgsign true git commit -m "commit message"