DEV Community

Cover image for How to fix unverified commits on GitHub
Margeaux Spring
Margeaux Spring

Posted on

How to fix unverified commits on GitHub

Is today the day you are signing your commits but still experienceing the dreaded amber "unverified' tag on them? I have a solution that worked for me to fix that issue.

First run this command via the command line to see which keys already exist: gpg --list-secret-keys --keyid-format=long

You should get a list of the keys that you have previously generated.

Make sure the email that is being used in your key on GitHub is the correct email in git by running this command: git config --list

The output of user name, email and key should match what is in your GPG key on GitHub:

user.name=Margeaux Spring
user.email=youremailhere
user.signingkey=yourgpgkey

If there is an email mismatch, your signed commits are still being tagged as β€œunverified” on GitHub, and you will need to add the correct email found via the step above with this command:
git config --global user.email youremailhere

You cannot assume that git will use the same email for storing and signing the commit.

You can also add more than one email to a key like this:
1. gpg --list-secret-keys --keyid-format=long
2. gpg --edit-key YOURKEYTOEDITHERE
3. a gpg prompt should appear, then you type adduid and press enter
4. add the email you need to when prompted
5. after you have followed all the prompts, enter save at the gpg prompt
6. now enter gpg --armor --export YOUREDITEDKEY
7. copy and paste the entire block that appears in your terminal, from and including:

-----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK-----

Next, go to GitHub and click on Settings->SSH & GPG Keys, delete the old key, click the green New GPG Key button, paste in the key you have copied from your terminal output previously and click save.

Your commits should now be automagically verified.

Top comments (0)