How to add a “Verified” commit message to GitHub using SSH Signing Key or GPG Signing Key.
If you often visit the commit history page of a GitHub repository, you may find that there are some commit messages with “Verified” badge, unlabeled, or even “Unverified” with an orange colored badge.
This feature on GitHub indicates that the commit or tag comes from an authentic source and has been verified by GitHub. This is important so that other users who use the repository are sure that the changes made to the repository are indeed from verified sources.
Until this article was written, there were 3 ways to sign the commit message: by using GPG signature, SSH signature, and S/MIME signature. From those three methods, I want to share my experience using the GPG and SSH signatures method to signing commit.
To follow steps in this article, make sure that your current Git configuration is working without any problems. If you have never set up Git, follow my previous article: How To Use Git Using SSH Protocol For GitHub.
Using SSH key signature
The easiest way is using the SSH signature method. You can use the SSH key that you already use for the Authentication key and upload the same public key to use as the Signing key.
Note: To use the SSH Key Signature method, you need to use Git
Adding SSH key as signing key
To add an SSH key as a Signing key in your GitHub account:
- Go to “Settings” > “SSH and GPG keys” > Click the “New SSH key” button.
- Fill in “Title” with whatever you can easily remember to identify your SSH key.
- In the “Key type” section, select “Signing Key”.
- Finally return to the terminal and paste the contents of SSH public key into textarea “Key”. After that, click the Add SSH key" button.
Change the Git configuration on your local computer
After the SSH Signing key has been added to your GitHub Account, you need to change the Git
gpg.format configuration value to
ssh by running the following command:
1git config --global gpg.format ssh
Finally, update the
user.signingkey config and enter the location where the SSH PUBLIC KEY that you have uploaded is:
1git config --global user.signingkey ~/.ssh/github_key.pub
~/.ssh/github_key.pubwith the actual location your PUBLIC KEY is stored.
Using GPG key signature
You can use GPG Key Signature to sign commit messages.
Generating GPG key
If you don’t have a GPG key pair yet, you can create one by running the following command:
After executing the command above, you will be asked to complete the information, including:
- Type: Choose any, I recommend just using the default:
RSA and RSA.
- Key size: Fill in between 1024 to 4096. Default 3072. I recommend using
- How long the GPG key is valid: I recommend using the default (
0, no expiration date).
- Enter Name and email information. Pay attention when filling in email information, make sure the email you enter is the same as the email you use on GitHub.
passharseyour GPG key.
Example output from the
gpg --full-generate-key command:
1gpg (GnuPG) 2.2.41; Copyright (C) 2022 g10 Code GmbH 2This is free software: you are free to change and redistribute it. 3There is NO WARRANTY, to the extent permitted by law. 4 5Please select what kind of key you want: 6 (1) RSA and RSA (default) 7 (2) DSA and Elgamal 8 (3) DSA (sign only) 9 (4) RSA (sign only) 10 (14) Existing key from card 11Your selection? 1 12RSA keys may be between 1024 and 4096 bits long. 13What keysize do you want? (3072) 4096 14Requested keysize is 4096 bits 15Please specify how long the key should be valid. 16 0 = key does not expire 17 <n> = key expires in n days 18 <n>w = key expires in n weeks 19 <n>m = key expires in n months 20 <n>y = key expires in n years 21Key is valid for? (0) 0 22Key does not expire at all 23Is this correct? (y/N) y 24 25GnuPG needs to construct a user ID to identify your key. 26 27Real name: Jasmerah1966 28Email address: [email protected] 29Comment: GPG sign key untuk GitHub 30You selected this USER-ID: 31 "Jasmerah1966 (GPG sign key untuk GitHub) <[email protected]>" 32 33Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O 34We need to generate a lot of random bytes. It is a good idea to perform 35some other action (type on the keyboard, move the mouse, utilize the 36disks) during the prime generation; this gives the random number 37generator a better chance to gain enough entropy. 38We need to generate a lot of random bytes. It is a good idea to perform 39some other action (type on the keyboard, move the mouse, utilize the 40disks) during the prime generation; this gives the random number 41generator a better chance to gain enough entropy. 42gpg: revocation certificate stored as '/home/jasmerah1966/.gnupg/openpgp-revocs.d/F5FEE1EF836C62F5361A643B156C485C2EB2C1D6.rev' 43public and secret key created and signed. 44 45pub rsa4096 2023-10-23 [SC] 46 F5FEE1EF836C62F5361A643B156C485C2EB2C1D6 47uid Jasmerah1966 (GPG sign key untuk GitHub) <[email protected]> 48sub rsa4096 2023-10-23 [E]
Getting your GPG keys information
To see your GPG key list (having a secret key), you can run the following command:
1gpg --list-secret-keys --keyid-format=long
Example output from the command above:
1/home/jasmerah1966/.gnupg/pubring.kbx 2------------------------------------- 3sec rsa4096/156C485C2EB2C1D6 2023-10-23 [SC] 4 F5FEE1EF836C62F5361A643B156C485C2EB2C1D6 5uid [ultimate] Jasmerah1966 (GPG sign key untuk GitHub) <[email protected]> 6ssb rsa4096/04951FB42332019F 2023-10-23 [E]
Then run the following command to get the GPG key in ASCII armor format:
1gpg --armor --export 156C485C2EB2C1D6
Note: Change my key ID above (
156C485C2EB2C1D6) with your key ID.
Copy your GPG key (starting from
-----BEGIN PGP PUBLIC KEY BLOCK----- to
-----END PGP PUBLIC KEY BLOCK-----) which after this step, you need to add to your GitHub account.
Adding GPG to Yyur GitHub Aacount
- Go to “Settings” > “SSH and GPG keys” > Click the “New GPG key” button.
- Fill in “Title” with whatever you can easily remember to identify your GPG key.
- Enter your GPG key into textarea “Key”. After that, click the Add GPG key" button.
Signing your commit
If it has been set correctly, you can commit with the command
git commit -S or
git commit -S -m 'Your commit message'
For signing with S/MIME I have never had the opportunity to try. Maybe if anyone wants to add it, please add it by doing a pull request.
I hope this helps.
Catatan: Ubah key ID milik saya diatas (
156C485C2EB2C1D6) dengan key ID milik Anda.
Copy GPG key Anda (diawali dari
-----BEGIN PGP PUBLIC KEY BLOCK----- sampai
-----END PGP PUBLIC KEY BLOCK-----) yang setelah ini perlu Anda tambahkan ke akun GitHub Anda.
Menambahkan GPG Ke Akun GitHub Anda
- Masuk ke “Settings” > “SSH and GPG keys” > Klik tombol “New GPG key”.
- Isi “Title” dengan apapun yang mudah Anda ingat untuk mengidentifikasi GPG key Anda.
- Masukkan GPG key Anda ke textarea “Key”. Setelah itu klik tombol Add GPG key".
Melakukan Signing Commit
Jika sudah disetting dengan benar, Anda bisa melakukan commit dengan perintah
git commit -S atau
git commit -S -m 'Pesan commit kamu'
Untuk signing dengan S/MIME saya belum pernah memiliki kesempatan untuk mencoba. Mungkin jika ada yang ingin menambahkan silahkan ditambahkan dengan melakukan pull request.