Intro

How to Verify GitHub Commits: A Step-by-Step Guide for Secure Code Contributions

Ferhat Kefsiz avatar
3 min read
Published on

content

Why Verify GitHub Commits?

In today's collaborative coding environments, ensuring that your commits are verified on GitHub is essential. Verified commits provide confidence that the changes were indeed made by you, the author.

Verifying GitHub commits proves that the code was authored by you and not tampered with by others. Here are some benefits:

  • Authenticity: Confirms the identity of the commit author.
  • Security: Prevents unauthorized code modifications.
  • Trust: Builds confidence in open-source and collaborative projects.
GitHub commit verification example
GitHub commit verification example

Commit verification is a fundamental aspect of modern version control systems. It ensures that code changes are authentic and that the integrity of the codebase is maintained. This process is crucial for building trust in collaborative software development environments.

Prerequisites

Before you start, ensure the following:

  1. Git Installed: Install Git.
  2. GPG Software: Install GPG (GNU Privacy Guard) for your operating system.
  3. GitHub Account: Log in to your GitHub account.

Step-by-Step Guide to Verifying GitHub Commits

Step 1: Generate a GPG Key

A GPG key is a digital signature that uniquely identifies you. Use the following command to generate your key:

gpg --full-generate-key

Key Details:

  • Key type: Choose RSA and RSA (default).
  • Key size: Use 4096 for better security.
  • Expiration: Set it based on your preference.
  • Email: Enter the email associated with your GitHub account.

Step 2: List Your GPG Keys

Find the key ID you just created:

gpg --list-secret-keys --keyid-format LONG

You'll see an output like this:

sec   rsa4096/ABC123DEF456 2024-11-30 [SC]
      Key fingerprint = 1234 5678 9ABC DEF4 5678 9ABC DEF4 5678
uid           [ultimate] Your Name <your.email@example.com>

Take note of the key ID (e.g., ABC123DEF456).

Step 3: Add Your GPG Key to GitHub

Export your GPG public key:

gpg --armor --export ABC123DEF456

Copy the output and go to GitHub:

  1. Navigate to Settings > SSH and GPG keys > New GPG key.
  1. Paste the exported key and click Add GPG key.

To finish, click on add GPG key and confirm the action with your GitHub password or your preferred auth method.

Step 4: Configure Git to Use Your GPG Key

Tell Git to use your GPG key for signing commits:

git config --global user.signingkey ABC123DEF456

Enable commit signing globally:

git config --global commit.gpgsign true

Enable commit signing project-wide:

git config --local commit.gpgsign true
git config --local user.signing `ID of the key`

Step 5: Sign Your Commits

git commit -S -m "Your commit message"

Signed commits will include a GPG signature.

Share

Enjoyed this post?

Become a sponsor

Share on

Your shares mean the world to me—thank you!