10 Millionth Guide On How To Sign Commits

Most guides online I found are hard and kinda confusing, so here is a very short and a clear guide on how to set up Git and sign commits.

Linux: Have your PGP keys ready. They should have the same email address with the service you're trying to push commits to (e.g. GitHub, Codeberg, etc.)

  1. If you don't have a PGP key, you can generate one (I recommend ed25519 instead of RSA) with gpg --full-generate-key --expert (at your terminal), select (9) ECC and ECC, (1) Curve 25519, enter the expiration date of that key (you can leave it at 0), enter your name and email (email must be the same with the service you have signed up to).
  2. Do gpg --list-keys and copy that long number that is above your name and email and under ed25519 $DATE (which will be your key ID).

Set up your .gitconfig.

  1. If you haven't set it up before, git config --global user.name "foobar" and git config --global user.email "foo@bar.com" (change the foobar to your name and email that you used in your PGP key) and git config --global user.signingkey foobar and paste that long number you copied in step 1.2 instead of foobar. You can also add git config --global commit.gpgsign true if you want to sign them by default instead of adding -s every time you commit.
  2. If you have set it up before, use your text editor to edit .gitconfig and change the values to the PGP key (name, email, key ID) you created or had before.

Enter your public key to the service you are using.

  1. Do gpg --export --armor which will print the armored version of your public key. Copy that and go to your account settings, PGP/SSH keys (names can vary), and paste that text that got exported. If your email was different than the one your PGP key has, it will give you an error saying that this account doesn't have an email connected to it which your PGP key has. You can either:
    1. Add that email address as a secondary/primary email address to your online account.
    2. Do gpg --edit-key foobar (where foobar is your key ID), type adduid and enter new details (these will not override the old ones, but they will add a new name and email to the existing details).
    3. Delete the old one with gpg --delete-secret-keys $Your_key_name and create a new key.

You should be ready now. Just do your regular commits, and it should ask for your PGP key password, and it should show your commits as signed.

BONUS

If you use VSCode or VSCodium, you can go to the settings, type gpg at the settings filter and enable Git: Enable Commit Signing.