6/12/2023 0 Comments Git it now![]() ![]() You now have generated a GPG key and submitted the public key of this to GitHub. Step 4: Configure Git to use your GPG key to sign commits In the next form, paste your GPG key and save. Now you have to scroll to the bottom until you get to the GPG keys section and then press "New GPG key". Now that you have this code, go to GitHub â Settings â SSH and GPG Keys. Copy this entire key, including the lines I mentioned in the last sentence. You should now see your public code, starting with "-BEGIN PGP PUBLIC KEY BLOCK-" and ending with "-END PGP PUBLIC KEY BLOCK-â". ![]() Using the identifier, run the command below: gpg -armor -export gpgIdentifier This public key is what we'll submit to GitHub. We're going to use that identifier to find out what your public GPG key is. I replaced my key in that last line to make clear what you're looking for. When running that command you should see a section that starts with "sec" like below: sec rsa4096/gpgIdentifier Ĭopy the "gpgIdentifier" part of that line (no rsa4096/ attached), because this represents the identifier for your GPG key. If you see your key, you're ready to submit it to GitHub. Let's verify if your system can see your key by running the command from step 1 once again: gpg -list-secret-keys -keyid-format LONG When you're here you already had a GPG key or you just created a new one. Be sure to save this passphrase somewhere, because you will need to fill it in when you commit your changes. Preferably use a random password generator with 16 or more characters. When you go to the next step, you need to fill out a passphrase (or password). When filling out your e-mail address, make sure it's the same e-mail address you used to sign up for GitHub. For example, fill in your company name if you're on your company computer. The comment can be used to identify the key. Then it will ask for your name and e-mail address, along with a comment. I went for 0 (never expire), but you can choose another one if you need to. Then it will ask you when you want this key to expire. Then it will ask you for the key size, fill in 4096. When it asks for which type of key, select the default choice (RSA and RSA). ![]() To generate a new key, run the following command: gpg -full-generate-key This information will be used by GitHub to verify that it was you who made the commit. When generating a new GPG key, you'll need to fill out some personal information. If you have no keys available, or you want to create a new one, go to step 2. You can find out if you already have a GPG key by running the following command: gpg -list-secret-keys -keyid-format LONG Step 1: Check if you have any keys available You can find out how to do this for your preferred platform on the Github help pages. For this post I'm focusing on how to do this on a Linux distribution, because that's what I use on a daily basis. ![]() Now let's get into the steps you need to take to get this GPG key and start getting the "Verified" flag. It's a way to verify that you were the one creating the commit and no one else. All it means is that anyone with access to the repository can see that the commit was made on your system by somehow who knows the passphrase to unlock your public key. When you submit your public key in GitHub, GitHub can verify that the signed commit was created by your account. This key contains information about you, like your name and e-mail address. It means that when you commit code, the commit is signed with a key, the GPG key. After you've completed these steps, the commits you've done will have a "Verified" flag in GitHub.īefore we get into it, it's probably a good idea to explain what the verified tag means. In this post, I'll go over the steps you need to take to accomplish this for your own development system. If you've ever used a Github integration, then you'll now you can verify your Git commits. How to get the verified flag on your commits in GitHub Home Blog How to get the verified flag on your commits in GitHub ![]()
0 Comments
Leave a Reply. |