Signed and Verified commits with GitHub desktop¶
Web commits, the commits you perform using GitHub website, are automatically verified, but the ones you do from GitHub desktop need to be manually signed.
Signing using GPG key¶
Setting up GPG¶
Download gpg4win from their official website
Begin the installation, choose to only install GnuPG and Kleopatra, don't need any other component.
After installation, open Kleopatra and create a new GPG key pair by selecting "New Key Pair"
Enter your real name and the email address that is added as one your verified email addresses in your GitHub account settings.
Select advanced settings and here you can optionally check the box next to "Authentication" and also increase the validity period of your GPG key.
Choosing a passphrase is not mandatory.
Export the public key by right-clicking on the GPG key and selecting Export. Open the exported file in Notepad or VS code, copy its content and paste it in your GitHub profile's GPG key section so it can be added as a new GPG key to your GitHub account.
Configuring .gitconfig file¶
Assuming GitHub desktop is installed and logged in on your system, open the .gitconfig file, usually located in User's folder, and add the following items to it.
Add this section to the end of the file
And then add this to the [user] section
Replace YourGPGSigningkeyID with your actual GPG key ID. You can get it from Kleopatra GUI in Key-ID column (enter them without spaces in the .gitconfig file) or you can get it from your GPG keys section in GitHub account settings, Key ID will be visible for you after adding your GPG public key.
You can set the validity period of your GPG certificate to unlimited, set/change/remove its passphrase and other modifications. You can publish it on the GPG server too so others can look it up and verify it.
Make sure you backup your secret key using Kleopatra and store it in a safe place, you can import it again on another machine to continue signing your GitHub commits. Public key doesn't need to be backed up as you can regenerate it again by importing the secret GPG key on a different machine.
Now every time you commit using GitHub desktop, your commits will be signed. If your GPG key has a passphrase, you will be asked to enter it before committing and pushing in GitHub desktop, otherwise signing will happen automatically. Your repository commit history on GitHub website will show verified badge next to them.
How to restore GPG for commit signing using your current key on a new environment¶
- Install GitHub desktop and log in with your GitHub account
- Configure the .gitconfig file as explained above
- install gpg4win as explained above
- Open Kleopatra GUI and use the Import button to import your GPG secret key backup to the program. You can also double-click on your GPG secret key backup file and add it to the program that way.
- Start committing and pushing changes to your repository using GitHub desktop app, your commits will have a verified badge on GitHub website commit history.
Official resources¶
Telling Git about your signing key
Signing using SSH key¶
Generating the key pair¶
Run this command to create a new SSH key pair, using the provided email as a label. It should be one of the emails added to your account as a verified emails.
Replace spynetgirl@outlook.com with your own email address
When asked, enter a file name, don't need to specify a file extension (such as .txt). 2 files will be created in User folder. The one with .pub extension contains your public key, the other one contains your private keys. Both of them must be backed up and stored in a safe place.
Set a passphrase when asked, not mandatory so you can just press enter when asked for a passphrase.
Configuring SSH Windows service¶
First make sure you've moved the generated SSH key pair from the default User folder location and stored them somewhere else, can be OneDrive's personal vault, and then run the following command to add the private key of your SSH key pair to the SSH agent.
If you set a passphrase for your private key from previous steps then you'll be asked to enter it, otherwise you will see the successful message saying "Identity added".
Add your SSH public key to GitHub account¶
Open the file containing your SSH public key, which has a .pub extension, using a text editor such as Notepad or VS code, copy its content and paste it in your GitHub account settings and save.
Configuring .gitconfig file¶
Add these new sections to the end of your .gitconfig file. It's usually located in User folder C:\Users\YourUserName
and add this to the [user] section to define your SSH public key, it's a direct path to that file.
You must replace all of the normal backward slashes \ to forward slash / in your path, otherwise GitHub desktop throws an error.
Now every time you commit using GitHub desktop, your commits will be signed. If your SSH key has a passphrase, you will be asked to enter it before committing and pushing in GitHub desktop, otherwise signing will happen automatically. Your repository commit history on GitHub website will show verified badge next to them.
How to restore SSH for commit signing using your current key on a new environment¶
- Install GitHub desktop and log in with your GitHub account
- Configure the .gitconfig file as explained above
- Turn on the
ssh-agentWindows service - Add your SSH private key to
ssh-agentusingssh-add "Path/To/SSH/Privatekey"command - Start committing and pushing changes to your repository, your commits will have a verified badge on GitHub website commit history.
Official resources¶
Telling Git about your SSH key
Key-based authentication in OpenSSH for Windows
About commit signature verification
Adding a new SSH key to your GitHub account
Generating a new SSH key and adding it to the ssh-agent