Signing Git Commits for those sweet, sweet Verified Badges
Signing your git commits is an important step in ensuring that your projects and code can be trusted.
- Setup GPG
- Add Your Public Key to GitHub
- Add Your Signing Key to Git
- Configure Visual Studio Code and Sign Git Commits
Confession time - I’ve had a GitHub account since 2014 and haven’t signed a single commit. I’ve read various tweets and articles about signing your commits, but never committed (git it? … see what I did there…) to setting up a signature until recently.
I’m not a developer, I just write a bunch of scripts, but I like the idea of signing my commits so that others can see that all changes to my code are verified. There’s plenty of articles on why signing your commits is a good idea. Here’s a couple:
If you’ve ever edited a file directly on github.com and committed the changes, you would surely have noticed those Verified badges:
Verified signature through a GitHib.com commit
To be honest, the GitHub documentation on managing commit signature verification is pretty good, but here’s how I stumbled my way through setting up a signature to enable signed commits.
Setup GPG
I write PowerShell scripts and modules primarily on macOS, so I’ve installed GPG Suite to create and manage keys. Creating keys can be achieved on the command line, but the GPG Keychain makes managing keys simple.
- Create a new key pair using the same email address used when committing code to your git repository and also used to sign into GitHub
- Ensure you use a strong password to protect the key. I manage passwords in 1Password making it simple to create and store keys. It’s a 39 random character string which means relying on copy and paste of course
- I’ve also exported my public and private key to store in my 1Password vault as backup and a way to copy the key into a Windows VM
- Finally I’ve uploaded my public key to the key server with the ‘Send Public Key to the Key Server’ option. Some GPG nerd would know what exactly that does, but I don’t believe it actually required for signing commits and pushing to GitHub, because we need to update the public key to GtiHub anyway.
GPG key view in the GPG Keychain
Add Your Public Key to GitHub
Adding your public key to your GitHub account is easy:
- Right-click your key and choose Copy
- Open your GitHub settings, choose SSH and GPG keys and click New GPG Key
- Paste in the key and click Add GPG Key
Adding your public GPG key to GitHub
Add Your Signing Key to Git
To sign your commits, you of course need to tell git about your GPG key. On macOS that looks like this - in Terminal, list your keys to find the key ID for the key added to your GitHub account:
gpg -list-secret-keys -keyid-format LONG
With defaults, the key ID will be on the line that starts with ‘sec’. Copy the key ID and use git to configure the signing key. In my case, it looks like this:
git config -global user.signingkey C55D39F88CE9A2C5
Finding your key ID and adding the key to git
On Windows the process for signing git commits is much the same. First install Git for Windows and use git bash instead of Terminal.
Configure Visual Studio Code and Sign Git Commits
Finally, we can configure Visual Studio Code to sign our git commits. I typically rely on GitHub Desktop to commit and push code; however, it doesn’t support commit signing. While I could use the command line to commit changes, I’d prefer manage commits from fewer tools, hence doing that in VSCode instead.
In Preferences, search for ‘git signing’ and select ‘Git: Enable Commit Signing’:
Enable Commit Signing in Visual Studio Code preferences
VSCode supports version control using git from directly within the VSCode window. On your first commit, you’ll be prompted to enter the password for your GPG key before the commit will complete.
That’s about all the steps required for signing git commits. We have signed commits in a GitHub repository and a sweet, sweet Verified badge - now I can brag to all my friends and they’ll know that code came from me. My mum still won’t understand what I do for a living, but you can’t get a win every day.
Now I have a nice shiny verified badge on my commits
