This content originally appeared on DEV Community and was authored by Fahad Imran
Hi fellows!
In this blog, I will show you how to get verified commits on GitHub. I recently came across a fantastic article that explained this very process and I was able to set up verified commits on my laptop. But that article mainly covered Mac OS and Linux operating systems. Since I am using Windows 10, I thought about sharing a guide targeted towards Windows users. Enjoy!
What Are Verified Commits?
Here is what GitHub says about verified commits:
Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can trust that the changes come from a trusted source.
In simple words, commit verification allows other users to know that these commits are actually made by the person claiming to have made them. GitHub shows a verified badge next to these commits.
For commits made on GitHub like pull requests and merges etc., GitHub already shows the verified badge since it knows that you made these commits. However, for verifying local commits a GPG key is required.
Why Should I Care?
The reason you should care about verified commits (apart from the fact that it looks cool) is that it is very easy to commit pretending to be someone else. Using the git config command you can change your email and name to act like someone else made these commits.
This can have serious consequences. If multiple people are working on a repository, it might be possible for someone to introduce a catastrophic bug, then change their committer identity and rewrite history to act like someone else made that bug. Although this is not a perfect solution, it can be enough to portion blame on someone else.
However, with verified commits, this is not an issue since even if someone changes their identity to match yours those commits won't show up as verified on GitHub, and no damage can be done :)
The Procedure
OK. Now that you have a basic idea of what verified commits are and why you should verify your commits, we will now go over the steps required to verify your local commits.
1. Install the Required Tools
The first step is to install the required tools. You'll need to install git bash and GnuPG. Git bash is self-explanatory while GnuPG is the command-line tool required to generate a GPG key.
2. Generate a GPG Key
Once both of these tools are installed, the next step is to generate a GPG key. A GPG key comes in a pair i.e. a Public Key and a Private Key. We will be uploading the Public Key to GitHub. But keep in mind to never share your Private Key with anyone.
First, use the following command to see if you have any existing keys on your system:
gpg --list-secret-keys --keyid-format LONG
If you haven't generated a GPG key before chances are that you won't find any listed as was the case for me.
Now we can generate a new key pair using the following command:
gpg --full-generate-key
Now it will ask you for the configuration of your GPG key. Here is the screenshot of my configurations:
Here are my settings:
- Kind of Key:
RSA and RSA (default) - Size of Key:
4096 bits - Key Validity:
0(does not expire)
Type y to accept these settings. Now you will be asked to construct a user ID to identify your key. Here is a screenshot of my configurations:
A couple of things here. First, add your real name and then an email address. For security reasons, it is better to add the GitHub provided no-reply email address. I will write a dedicated blog about using the GitHub no-reply email soon.
Finally, press o to accept the settings. At this point, you will probably be prompted to set a passphrase for your key. After setting your desired password it will take a couple of seconds and your key will be generated!
Verify that GPG keys have been generated successfully by using --list-secret-keys command again.
gpg --list-secret-keys --keyid-format LONG
This time you will see an output like this:
3. Configure Git to Use the Key Locally
Now that you have successfully generated the GPG key, the next step is to tell git to use this key for signing your commits. To do so, you'll need your Long Key ID.
List the keys on your machine using:
gpg --list-secret-keys --keyid-format LONG
The IDs beside the word sec refer to your short and long key IDs respectively. The jumble of letters after the words rsa/4096 on the first line is your short key ID and the long key ID is on the next line. Refer to the above image:
Short Key ID:
Long Key ID:
Now that you know your Long Key ID, use the following command to tell git about your signing key:
git config --global user.signingkey <your-key-id>
Note: Replace the Long Key ID with your own ID
Finally, configure git to automatically sign all commits from now on:
git config --global commit.gpgsign true
Now even if you forget to add the -S flag, git will automatically sign all your commits using the GPG key you specified.
4. Upload the Public GPG Key on GitHub
Now that the local configuration is done, all that is left is to upload the Public Key onto GitHub to get verified commits. Begin by exporting both your Public and Private keys using the following commands:
gpg --export -a your-key-id > my-key-public.asc
gpg --export-secret-key -a your-key-id > my-key-private.asc
Note: Replace your-key-id with your own Long Key ID
Open the Public key file in Notepad or your favorite text editor and copy its contents from -----BEGIN PGP PUBLIC KEY BLOCK----- till -----END PGP PUBLIC KEY BLOCK----- (included).
Now head on over to GitHub and in settings find the SSH and GPG Keys section. Click on the New GPG Key button and paste your Public Key contents into it. Click Add GPG Key to add the GPG key to your GitHub account.
All that is left to do now is to make a commit. The first time you make a commit, you will be prompted for the passphrase you set earlier. After you have made the commit, push your code to GitHub and you'll be treated with a shiny verified badge next to the commit!
You can also use a program like Kleopatra which was installed with the GnuPG utility in my case. It provides a graphical interface for managing your keys and allows for caching your passphrase for longer as well if needed.
5. Backup and Import Your Keys
Finally, it is important to back up your public as well as private keys. I would recommend storing them in your password manager like Lastpass, Dashlane, etc. Or maybe in a separate external hard drive.
In case you have to import the keys on a new machine use the following commands:
gpg --import my-key-public.asc
gpg --import my-key-private.asc
This will import the keys but you will still need to set the trust before you can use them. In order to set the trust level use the following command:
gpg --edit-key <your-key-id>
Replace <your-key-id> with your key ID. This will take you to the GPG command-line editor. Then type the word trust and set the level at 5 which is the ultimate trust and is the same level of trust that a machine would have if it generated the key itself. Type quit to exit the prompt.
That's All Folks!
Whew! It was quite a process but we made it. Now you know how to generate GPG keys to sign git commits, how to add the key to GitHub and restore generated keys on a new machine.
As always, feel free to read my blogs on Articles By Fahad. Thanks for reading and happy coding! ?
This content originally appeared on DEV Community and was authored by Fahad Imran
Fahad Imran | Sciencx (2021-02-23T15:27:29+00:00) How To Get Verified Commits on GitHub: A Complete Guide!. Retrieved from https://www.scien.cx/2021/02/23/how-to-get-verified-commits-on-github-a-complete-guide/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.