Securing Your Commits: A Guide to Generating and Using GPG Keys on GitHub

GitHub is one of the most popular platforms for hosting and sharing code, and one of its key features is the ability to verify the authenticity of commits using GPG (GNU Privacy Guard) signatures. A GPG key is a digital signature that provides a way to verify that the code being committed to GitHub was created by the person who claims to have created it. In this article, we will discuss how to generate a new GPG key and use it to verify commits on GitHub.

Step 1: Install GPG

Before we can generate a new GPG key, we need to make sure that GPG is installed on our system. GPG is available for most platforms, including Linux, macOS, and Windows. To check if GPG is installed on your system, open a terminal or command prompt and run the following command:

gpg --version

If GPG is not installed, you can download it from the official GPG website or install it using your package manager.

Step 2: Generate a new GPG key

Once GPG is installed, we can generate a new GPG key. To do this, open a terminal or command prompt and run the following command:

gpg --full-generate-key

This will start the GPG key generation wizard. Follow the prompts to generate a new GPG key. You will need to choose the key type, key size, and expiration date. You will also need to enter your name and email address, which will be used to identify the key. Finally, you will need to enter a passphrase to protect the key.

Step 3: Export the GPG key

After the GPG key is generated, we need to export it so that we can use it to sign commits on GitHub. To export the GPG key, run the following command:

gpg --armor --export <KEY-ID>

Replace <KEY-ID> with the ID of the key you just generated. This will output the key in ASCII-armored format, which can be copied and pasted into GitHub.

Step 4: Add the GPG key to GitHub

Now that we have exported the GPG key, we need to add it to GitHub. To do this, go to your GitHub account settings and click on “SSH and GPG keys”. Click on the “New GPG key” button and paste in the ASCII-armored key that we exported in step 3.

Step 5: Configure Git to use the GPG key

Finally, we need to configure Git to use the GPG key when signing commits. To do this, open a terminal or command prompt and run the following commands:

git config --global user.signingkey <KEY-ID>
git config --global commit.gpgsign true

Replace <KEY-ID> with the ID of the key you just generated. These commands will tell Git to use the GPG key when signing commits and to require signed commits.

Conclusion

In conclusion, GPG keys provide a way to verify the authenticity of commits on GitHub. Generating a new GPG key and adding it to GitHub is a simple process that can help improve the security of your code. By following the steps outlined in this article, you can generate a new GPG key and use it to sign commits on GitHub.

Here are some additional resources related to GPG and GitHub that readers may find useful:

How to set up Git commit signing with GPG and a YubiKey on macOS

GitHub’s documentation on managing commit signature verification: https://docs.github.com/en/authentication/managing-commit-signature-verification
GPG’s official website, which includes documentation, downloads, and tutorials: https://gnupg.org/
GitHub’s guide to setting up GPG keys for signing commits: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
A step-by-step tutorial on using GPG keys with Git: https://www.gnupg.org/documentation/howtos/gnupg-and-git.html
A helpful article on how to verify commits on GitHub using GPG keys: https://medium.com/@sheharyarn/verifying-commits-on-github-with-gpg-key-57a60d26b985
Generating a new GPG key https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key

Securing Your Commits: A Guide to Generating and Using GPG Keys on GitHub

Failed to sign:

Further reading