Have you ever noticed how there are some commits with a verified
tag next to it and wondered what it meant and why not all commits show this message?
I always thought it was interesting that commits could be verified and I wondered why it was even necessary. Is a non-verified commit less than a verified one? Does it prevent others from taking credit for your work? So I dug into it and was able to get all of my commits verified, and below I share with you how easy it is to setup and why it is useful.
If you want to get deep into this, Github has an entire section in their docs that talks about commit signatures, but I'll do my best to summarize the basics below.
What does it mean to have a verified commit?
If you see a verified commit and click on the tag, you will see a message similar to the image above saying that a commit has been signed with the committer's verified signature, and it displays a GPG Key ID as proof of the signature.
GPG stands for GNU Privacy Guard, which allows developers to encrypt and sign data and communications. You can learn more about it from their website.
By default, commits made directly from Github's website, such as PR merges, suggested PR changes, etc, but by generating a GPG key and associating it with your computer, you can use it to digitally sign all your commits and tags locally.
Why should I verify my commits?
By signing your commits, GitHub can confirm that commits are really made by you from your device. This is useful especially when working in open source where lots of people are touching the same project, or for security oriented companies.
You're probably wondering, doesn't Github already know that I made a commit in my name because, well, I made the commit from my account? Yes and no. While you do have authorization to push and pull repositories from your computer, you can easily change the name or email that displays in the commit, and in some case impersonate or be impersonated yourself. Try it!
$ git config --global user.name "Mona Lisa"
$ git config --global user.email "monalisa@notfake.com"
You are now making commits as Mona Lisa!
Pretty crazy to think that it's that easy to change the author of a commit.
How do I get verified?
So if you are ready to join the exclusive and elite verified club (disclaimer: it's not actually exclusive or elite), it's pretty simple:
1) Go to the GPG Website and download the binary release for your OS
2) Once installed, open up terminal and run gpg --gen-key
. When asked to enter your email address, make sure to use the email address associated with your Github account. You may also be asked to create a password. Don't forget the password, you will need it later on!
3) Once it's done, you should see some information about your new key. You can also run gpg --list-keys
to refer back to it.
$ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-04-17
/Users/luis/.gnupg/pubring.kbx
------------------------------
pub rsa3072 2021-04-17 [SC] [expires: 2023-04-17]
A5BE09DEE58C0ACFE...
uid [ultimate] Luis Augusto <hello@luis.app>
sub rsa3072 2021-04-17 [E] [expires: 2023-04-17]
4) See that really long alphanumeric string up there? You'll need to tell Git about that key with these commands:
$ git config --global commit.gpgsign true
$ git config --global user.signingkey A5BE09DEE58C0ACFE...
5) Finally, using that key, run the command $ gpg --armor --export A5BE09DEE58C0ACFE...
to get a public key that looks something like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
fjaiodjf;aosejaw;fiasjdfoawefao;jsfid
'fsdfijados;ifjaewf aewfiaafjaf;aodfj
iaif;oasjafiajf;iaofj;afjas;fja;fej;f
---END PGP PUBLIC KEY BLOCK-----
Yes, I did just mash the keyboard, but it's something like that.
6) Take that entire block and copy it over the GPG Keys section of your Keys Settings in Github.
7) Make your first commit on your computer! You will be asked for that password you made in step 2, and if you are on a Mac, you can save it to your keychain so you'll never be asked about it again.
Now every time you make a commit, you'll be feeling like this cool pup.
I hope this helps! If you want to learn more about it, here is a recap of the resources I mentioned:
Top comments (0)