GPG Key in Git - Get Your Every Commit Verified
This article is based on the contents of the Github's documentation.
You will get your own verified badge on every git commits once you configure your GPG key with your VCS.
First things first, check your gpg version using this command:
Allow me to assume that you are on version 2.1.17 or greater.
Use this command to generate a GPG key:
Choose the default for kind of key and give 4096 for key size, choose
0 for expiration time or up to your decision otherwise.
Enter your git ID(or full name is also fine), email which is verified in your git account already.
Set your password for the GPG key.
After you confirm your configurations, do some memory-consuming operations(for example, looping through a million-sized simple array in python or ruby) so that the key generation process wouldn't take too long.
Now that the key generation process has been finished, use this command to list all your GPG keys in your machine.
1gpg --list-secret-keys --keyid-format LONG
You should see results looking like this:
1/home/crazyoptimist/.gnupg/pubring.kbx 2------------------------------- 3sec rsa4096/C82530CF298B7FD4 2020-10-04 [SC] 4 BD47472FAE42F276ACAD1E44C82530CF298B7FD4 5uid [ultimate] CrazyOptimist (Crazy Optimist) <[email protected]> 6ssb rsa4096/86DE9F8D3D5B068D 2020-10-04 [E]
In the above example, C82530CF298B7FD4 is your GPG key ID.
Use this command to retrieve your GPG key:
1gpg --armor --export YOUR_GPG_KEY_ID 2# Prints the GPG key ID, in ASCII armor format
Copy your GPG key, beginning with
-----BEGIN PGP PUBLIC KEY BLOCK----- and ending with
-----END PGP PUBLIC KEY BLOCK-----.
Paste it into the GPG keys field in your git account settings.
Well, so far so good.
Now, use this commands to tell your git to sign every commits with GPG key to get verified.
1git config --global user.signingkey YOUR_GPG_KEY_ID 2git config --global commit.gpgsign true
The second line will force you to sign every commits on your machine.
If you do not like it for some reason, skip the line and use -S tag instead, whenever you commit with signature.
1git commit -S -m "YOUR_COMMIT_MESSAGE"
Finally, add this line to your
.bashrc or to any other of your auto-loaded dot files like
If you want to remove your GPG key from your machine:
1gpg --delete-secret-keys username@email 2gpg --delete-keys username@email 3# confirm if it's removed 4gpg --list-keys
If you want to backup your key pair as files:
1gpg --output private.pem --armor --export-secret-key username@email 2gpg --output public.pub --armor --export username@email
If you want to import your backuped key pair:
1gpg --import private.pem 2gpg --import public.pub
Hooray! You did it! Happy coding gents! 😎