How to Verify GitHub Commits

There’s something magical about seeing a clean, green Verified badge next to your GitHub commits. It’s not just about looks — it's about trust. It says:

Hey, this commit really came from me.

and in a world where security matters more every day, that little badge means a lot. Verified commits provide confidence that the changes were indeed made by you, the author.

Today, I’ll walk you through how you can verify your GitHub commits — simply, clearly, without any unnecessary complexity. Let's jump in.

Why Verify GitHub Commits?

First, let's get this straight: verified commits help ensure that no one is spoofing your identity. Whether you're pushing to personal projects or collaborating on a team, verified commits build a layer of authenticity and trust.

Plus... it feels incredibly good to see that Verified badge. Admit it. Here are some benefits:

• Authenticity: Confirms the identity of the commit author.
• Security: Prevents unauthorized code modifications.
• Trust: Builds confidence in open-source and collaborative projects.

Commit verification is a fundamental aspect of modern version control systems.

How Does It Work?

GitHub uses something called GPG (GNU Privacy Guard) keys or SSH keys to verify your commits. When you sign a commit with your private key, GitHub checks that signature against your public key. If they match? Boom — verified!

Prerequisites

Before you start, ensure the following:

1. Git Installed: Install Git.
2. GPG Software: Install GPG (GNU Privacy Guard) for your operating system.
3. GitHub Account: Log in to your GitHub account.

Setting It Up: Step-by-Step

Here's how you can set it up yourself:

1. Generate a GPG key (or an SSH key, if you prefer that route):

gpg --full-generate-key

Choose the defaults unless you have a specific reason to customize.

Key Details:

• Key type: Choose RSA and RSA (default).
• Key size: Use 4096 for better security.
• Expiration: Set it based on your preference.
• Email: Enter the email associated with your GitHub account.

2. List your keys to grab the one you just made:

gpg --list-secret-keys --keyid-format=long

Look for the line starting with sec — that long string of characters is your Key ID.

3. Configure Git to use your GPG key:

git config --global user.signingkey YOUR_KEY_ID

(Replace YOUR_KEY_ID with the actual ID.)

4. Tell Git to sign commits by default:

git config --global commit.gpgsign true

5. Add your GPG public key to GitHub: Export your public key:

gpg --armor --export YOUR_KEY_ID

Copy the output, head over to GitHub Settings → SSH and GPG keys, and paste it there.