10 Millionth Guide On How To Sign Commits
Most guides online I found are hard and kinda confusing, so here is a very short and a clear guide on how to set up Git and sign commits.
Linux: Have your PGP keys ready. They should have the same email address with the service you're trying to push commits to (e.g. GitHub, Codeberg, etc.)
- If you don't have a PGP key, you can generate one (I recommend ed25519 instead of RSA) with
gpg --full-generate-key --expert(at your terminal), select
(9) ECC and ECC,
(1) Curve 25519, enter the expiration date of that key (you can leave it at
0), enter your name and email (email must be the same with the service you have signed up to).
gpg --list-keysand copy that long number that is above your name and email and under
ed25519 $DATE(which will be your key ID).
Set up your
- If you haven't set it up before,
git config --global user.name "foobar"and
git config --global user.email "email@example.com"(change the foobar to your name and email that you used in your PGP key) and
git config --global user.signingkey foobarand paste that long number you copied in step 1.2 instead of foobar. You can also add
git config --global commit.gpgsign trueif you want to sign them by default instead of adding
-severy time you commit.
- If you have set it up before, use your text editor to edit
.gitconfigand change the values to the PGP key (name, email, key ID) you created or had before.
Enter your public key to the service you are using.
gpg --export --armorwhich will print the armored version of your public key. Copy that and go to your account settings, PGP/SSH keys (names can vary), and paste that text that got exported. If your email was different than the one your PGP key has, it will give you an error saying that this account doesn't have an email connected to it which your PGP key has. You can either:
- Add that email address as a secondary/primary email address to your online account.
gpg --edit-key foobar(where foobar is your key ID), type
adduidand enter new details (these will not override the old ones, but they will add a new name and email to the existing details).
- Delete the old one with
gpg --delete-secret-keys $Your_key_nameand create a new key.
You should be ready now. Just do your regular commits, and it should ask for your PGP key password, and it should show your commits as signed.
If you use VSCode or VSCodium, you can go to the settings, type
gpg at the settings filter and enable
Git: Enable Commit Signing.