# Github "Verified" commits using GPG key with private email It's nice to see a Verified message next to each commit for peace of mind. > Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can be confident that the changes come from a trusted source. 1. Install latest `gpg` If using a mac use homebrew ```sh brew install gpg ``` Verify version is greater than `2.1` ```sh $ gpg --version gpg (GnuPG) 2.3.6 ``` 2. Create configuration file to cache creds ```sh mkdir -p ~/.gnupg cat < ~/.gnupg/gpg-agent.conf default-cache-ttl 34560000 max-cache-ttl 34560000 EOF ``` Restart `gpg-agent` ```sh # This kills the agent gpgconf --kill gpg-agent # This starts it but may not be needed. After 2.1, the agent should automatically start when the gpg command is run. gpg-agent --daemon ``` 3. Create a key with a passphrase. Store the passphrase in password manager. ```sh gpg --full-generate-key ``` Use the defaults. * For the real name use your username. * For the email use the `+@users.noreply.github.com` - This is on the [settings](https://github.com/settings/emails) page. Make sure to include the id number. * For the comment use `GitHub key`. 4. Set the user.email used for the GPG key. ```sh git config --global user.email +@users.noreply.github.com ``` 5. Store the GPG key ID. ```sh GPG_KEY=$(gpg --list-secret-keys --keyid-format=long | grep users.noreply.github.com -B3 | grep sec | cut -d'/' -f2 | cut -d' ' -f1) ``` 6. Export the key. copy into Github. ```sh gpg --armor --export $GPG_KEY ``` 7. Copy key into Github. Verify that the email shows up in Github once the GPG key is added. The [`gh` command](https://cli.github.com/manual/gh_gpg-key_add) can be used ```sh gh gpg-key add [] ``` Set the following global configs ```sh # Use signing key git config --global user.signingkey $GPG_KEY # Use gpg binary git config --global gpg.program gpg # Always sign commits git config --global commit.gpgsign true ``` 8. Run this locally and add this to the shell profile to get the `gpg` passphrase prompt ```sh export GPG_TTY=$(tty) ``` 9. Force the passphrase prompt and enter the passphrase. ```sh echo "test" | gpg --clearsign ``` 10. Navigate to a repo, change something, add a commit. 11. Check to see if your commit has been signed correctly. ```sh git log --show-signature -1 ``` The above should return a `Good signature` from `gpg` ``` commit a47d1b8d8e6d44acdd4b3840fb49403b0646871e (HEAD -> example, origin/example) gpg: Signature made Wed Oct 19 08:12:02 2022 CDT gpg: using EDDSA key 59A0ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 gpg: Good signature from "example-user (Github key) <1234567890+example-user@users.noreply.github.com>" [ultimate] Author: example-user <1234567890+example-user@users.noreply.github.com> Date: Wed Oct 19 08:12:02 2022 -0500 ``` 12. Push up your changes and check to see a "Verified" next to your new commit. ## References * https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification * https://superuser.com/questions/624343/keep-gnupg-credentials-cached-for-entire-user-session/624488#624488 * https://stackoverflow.com/questions/39494631/gpg-failed-to-sign-the-data-fatal-failed-to-write-commit-object-git-2-10-0 * https://docs.github.com/en/authentication/managing-commit-signature-verification * https://docs.github.com/en/authentication/managing-commit-signature-verification/associating-an-email-with-your-gpg-key