About submitting signature verification

You can sign submissions and tags locally so that others can confirm that your work is from a trusted source. GitHub marks a submission or tag as authenticated if it has a password-verifiable GPG or S/MIME signature.

If a submission or tag has an unverifiable signature, GitHub marks the submission or tag as unverified.

Install the GPG command line tool

GPG is not installed on OS X or Windows by default. To install the GPG command line tool, see the Download page for GnuPG.

You can also use Homebrew to install Brew Install gnupg

Check the existing GPG key

Before generating a GPG key, you can check if there are any existing GPG keys.

$ gpg --list-secret-keys --keyid-format LONG

Check the command output to see if there are GPG key pairs.

  • Generate a new GPG key if there is no GPG key pair, or if you do not want to use any key pair that can be used for signing commit and tag.
  • Add the GPG key to the GitHub account if an existing GPG key pair exists and you want to use it for signed submissions and tagging.

Generate a new GPG key

If you do not have an existing GPG key, you can generate a new GPG key for signature submission and markup.

  1. Generate a GPG key pair

    $ gpg --full-generate-key
    Copy the code
  2. When prompted, specify the type of key to generate, or press Enter to accept the default RSA and RSA.

  3. Enter the desired key length. The key must be at least 4096 bits.

  4. Enter the validity period of the key. Pressing Enter will specify a default selection, indicating that the key will not expire.

  5. Verify that your choice is correct.

  6. Enter your user ID information.

  7. Enter the security password.

  8. Lists the GPG keys whose public and private keys you own. Signature submission or markup requires a private key. In this case, the GPG key ID is 0B4436F611DCD0EC

    $ gpg --list-secret-keys --keyid-format LONG /Users/xsky/.gnupg/pubring.kbx ------------------------------ sec Rsa4096/0 b4436f611dcd0ec 2021-01-06 (SC) uid/absolute B9476F6DF471A45A0CFDF9710B4436F611DCD0EC linsheng (making key) <[email protected]> ssb rsa4096/15B24F4064D2384D 2021-01-06 [E]Copy the code
  9. Generate a GPG key

    $ gpg --armor --export 0B4436F611DCD0EC
    Copy the code
  10. Copy the GPG KEY from —–BEGIN PGP PUBLIC KEY BLOCK—– to —–END PGP PUBLIC KEY BLOCK—–.

Added a GPG key to the GitHub account

To configure a GitHub account to use a new (or existing) GPG key, you also need to add it to your GitHub account.

  1. In the upper right corner of any page, click your profile photo, and then click Settings.

  2. In the user Settings sidebar, click SSH and GPG Keys (SSH and GPG keys).

  3. Click New GPG Key.

  4. In the “Key” field, paste the GPG Key that was copied when the new GPG Key was generated.

  5. Click Add GPG Key to Add a GPG key.

  6. To confirm the operation, enter your GitHub password.

Tell Git your signature key

To sign a commit locally, you need to notify Git of the GPG key you want to use.

1. To set the GPG signature key in Git, paste the following text and replace the GPG key ID you want to use. In this case, the GPG key ID is 0B4436F611DCD0EC:

$ git config --global user.signingkey 0B4436F611DCD0EC

  1. If you are not using GPG Suite, paste the following text to add the GPG key to your bash configuration file:

    $ test -r ~/.bash_profile && echo 'export GPG_TTY=$(tty)' >> ~/.bash_profile
    $ echo 'export GPG_TTY=$(tty)' >> ~/.profile
    Copy the code

    ** Note: ** If you do not have.bash_profile, this command adds the GPG key to.profile.

  2. Error: GPG failed to sign the data. In this case, run the gpgconf –kill gpg-agent command to restart the GPg-agent

Signature of submission

You can use GPG to sign submissions locally. To sign all submissions by default in any local repository on your computer, run

$ git config --global commit.gpgsign true

To store the GPG key password so that it does not need to be entered each time a pair is submitted for signature, we recommend using the following tools:

  • For Mac users, GPG Suite allows you to store GPG key passwords in Mac OS keychains.
  • For Windows users, Gpg4win will integrate with other Windows tools.
  1. When committing changes in a local branch, add the S flag to the git commit command:

    $ git commit -S -m your commit message

  2. If you use GPG, the password you set when you generated the GPG key is provided after the creation submission.

  3. Once the create commit is done locally, push it to a remote repository on GitHub: Git Push

  4. For more details about the Verified signature, click Verified.