How To Create 'Verified' (Sign) Git Commit Using SSH or GPG Signature (Linux)

How to add a 'Verified' commit message to GitHub using SSH Signing Key or GPG Signing Key, step by step.

How to add a “Verified” commit message to GitHub using SSH Signing Key or GPG Signing Key.


If you often visit the commit history page of a GitHub repository, you may find that there are some commit messages with “Verified” badge, unlabeled, or even “Unverified” with an orange colored badge.

This feature on GitHub indicates that the commit or tag comes from an authentic source and has been verified by GitHub. This is important so that other users who use the repository are sure that the changes made to the repository are indeed from verified sources.

Until this article was written, there were 3 ways to sign the commit message: by using GPG signature, SSH signature, and S/MIME signature. From those three methods, I want to share my experience using the GPG and SSH signatures method to signing commit.

To follow steps in this article, make sure that your current Git configuration is working without any problems. If you have never set up Git, follow my previous article: How To Use Git Using SSH Protocol For GitHub.

Using SSH key signature

The easiest way is using the SSH signature method. You can use the SSH key that you already use for the Authentication key and upload the same public key to use as the Signing key.

Note: To use the SSH Key Signature method, you need to use Git 2.34 and above.

Adding SSH key as signing key

To add an SSH key as a Signing key in your GitHub account:

  1. Go to “Settings” > “SSH and GPG keys” > Click the “New SSH key” button.
  2. Fill in “Title” with whatever you can easily remember to identify your SSH key.
  3. In the “Key type” section, select “Signing Key”.
  4. Finally return to the terminal and paste the contents of SSH public key into textarea “Key”. After that, click the Add SSH key" button.

Change the Git configuration on your local computer

After the SSH Signing key has been added to your GitHub Account, you need to change the Git gpg.format configuration value to ssh by running the following command:

1git config --global gpg.format ssh

Finally, update the user.signingkey config and enter the location where the SSH PUBLIC KEY that you have uploaded is:

1git config --global user.signingkey ~/.ssh/github_key.pub

Note: Change ~/.ssh/github_key.pub with the actual location your PUBLIC KEY is stored.

Using GPG key signature

You can use GPG Key Signature to sign commit messages.

Generating GPG key

If you don’t have a GPG key pair yet, you can create one by running the following command:

1gpg --full-generate-key

After executing the command above, you will be asked to complete the information, including:

  1. Type: Choose any, I recommend just using the default: RSA and RSA.
  2. Key size: Fill in between 1024 and 4096. Default 3072. I recommend using 4096.
  3. How long the GPG key is valid: I recommend using the default (0, no expiration date).
  4. Enter Name and email information. Pay attention when filling in email information, make sure the email you enter is the same as the email you use on GitHub.
  5. Enter passharse your GPG key.

Example output from the gpg --full-generate-key command:

 1gpg (GnuPG) 2.2.41; Copyright (C) 2022 g10 Code GmbH
 2This is free software: you are free to change and redistribute it.
 3There is NO WARRANTY, to the extent permitted by law.
 4
 5Please select what kind of key you want:
 6   (1) RSA and RSA (default)
 7   (2) DSA and Elgamal
 8   (3) DSA (sign only)
 9   (4) RSA (sign only)
10  (14) Existing key from card
11Your selection? 1
12RSA keys may be between 1024 and 4096 bits long.
13What keysize do you want? (3072) 4096
14Requested keysize is 4096 bits
15Please specify how long the key should be valid.
16         0 = key does not expire
17      <n>  = key expires in n days
18      <n>w = key expires in n weeks
19      <n>m = key expires in n months
20      <n>y = key expires in n years
21Key is valid for? (0) 0
22Key does not expire at all
23Is this correct? (y/N) y
24
25GnuPG needs to construct a user ID to identify your key.
26
27Real name: Jasmerah1966
28Email address: [email protected]
29Comment: GPG sign key untuk GitHub
30You selected this USER-ID:
31    "Jasmerah1966 (GPG sign key untuk GitHub) <[email protected]>"
32
33Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
34We need to generate a lot of random bytes. It is a good idea to perform
35some other action (type on the keyboard, move the mouse, utilize the
36disks) during the prime generation; this gives the random number
37generator a better chance to gain enough entropy.
38We need to generate a lot of random bytes. It is a good idea to perform
39some other action (type on the keyboard, move the mouse, utilize the
40disks) during the prime generation; this gives the random number
41generator a better chance to gain enough entropy.
42gpg: revocation certificate stored as '/home/jasmerah1966/.gnupg/openpgp-revocs.d/F5FEE1EF836C62F5361A643B156C485C2EB2C1D6.rev'
43public and secret key created and signed.
44
45pub   rsa4096 2023-10-23 [SC]
46      F5FEE1EF836C62F5361A643B156C485C2EB2C1D6
47uid                      Jasmerah1966 (GPG sign key untuk GitHub) <[email protected]>
48sub   rsa4096 2023-10-23 [E]

Getting your GPG keys information

To see your GPG key list (having a secret key), you can run the following command:

1gpg --list-secret-keys --keyid-format=long

Example output from the command above:

1/home/jasmerah1966/.gnupg/pubring.kbx
2-------------------------------------
3sec   rsa4096/156C485C2EB2C1D6 2023-10-23 [SC]
4      F5FEE1EF836C62F5361A643B156C485C2EB2C1D6
5uid                 [ultimate] Jasmerah1966 (GPG sign key untuk GitHub) <[email protected]>
6ssb   rsa4096/04951FB42332019F 2023-10-23 [E]

Then run the following command to get the GPG key in ASCII armor format:

1gpg --armor --export 156C485C2EB2C1D6

Note: Change my key ID above (156C485C2EB2C1D6) with your key ID.

Copy your GPG key (starting from -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK-----) which after this step, you need to add to your GitHub account.

Adding GPG to Your GitHub Account

  1. Go to “Settings” > “SSH and GPG keys” > Click the “New GPG key” button.
  2. Fill in “Title” with whatever you can easily remember to identify your GPG key.
  3. Enter your GPG key into textarea “Key”. After that, click the Add GPG key" button.

Signing your commit

If it has been set correctly, you can commit with the command git commit -S or git commit -S -m 'Your commit message'

For signing with S/MIME I have never had the opportunity to try. Maybe if anyone wants to add it, please add it by doing a pull request.

I hope this helps.