Verifying GitHub Commits with

Learn what a "verified commit" is in Git, and how you can verify your commits in GitHub using keys from your account.

by Dustin Ingram

We'll learn what a "verified commit" is in Git, and how you can verify your commits in GitHub using keys from your account.

Have you ever seen a "verified" commit on GitHub? Chances are you haven't. It looks something like this:

A "verified" commit is a commit which has been signed with a GPG key that GitHub has been told about. Git itself has supported signing commits with a GPG key for a while, but GitHub only recently added this feature, which makes it quick and easy to see if a commit has been verified.

This feature prevents impersonating another user's commits. For example, if Linus Torvalds used it, you could easily tell that this commit has been forged.

Create a Account

At Promptworks, we love using to easily share encrypted data, manage our public keys, and verify our online identities. In addition to these great features, we can now use it to verify our commits on GitHub as well.

Keybase is currently invite only, but once you are able to get ahold of an invite, accept the invitation and follow along:

The main email for your account should be an address you have control of, if possible. Pick a good password!

Your new profile should look like this, with nothing added to it:

Next, we'll add a new PGP key:

We'll generate a new public key rather than use one you might already have for two reasons:

  1. Keybase will generate a nice long private key for you with the latest version of OpenPGP.
  2. We're going to add an additional email to your key, which is possible with an existing key, but not as easy.

Now, Keybase will do some math:

Here's the important part: when adding email addresses to the key, be sure to add an additional email, <username>, where <username> is your GitHub username:

Next, Keybase will generate two candidate primes to use to generate your key:

When it's finished, Keybase will display the public key that it has generated for you:

You should see the 64-bit fingerprint of your key is now on your profile page:

Next to it is an edit link. Click this, and choose "Export my private key from Keybase":

You should be presented with the following screen prompting you for your password:

Finally, it will give you a textbox with your entire private key in it. Copy this into a file on your local machine named keybase_private.asc.

Configuring GPG

The next step will be informing GPG about your new keypair.

If you're on macOS, you can install the gpg utility as follows:

$ brew install gpg
==> Downloading
############################################################## 100.0%
==> Pouring gnupg2-2.0.30_2.sierra.bottle.1.tar.gz
==> Using the sandbox
🍺  /usr/local/Cellar/gnupg2/2.0.30_2: 91 files, 3.7M

Next, we will import our Keybase keypair (which we previously exported from Keybase and stored in the file called keybase_private.asc) into gpg:

$ gpg --import keybase_private.asc
gpg: key 93D2B8D4: secret key imported
gpg: key 93D2B8D4: public key "Dustin Ingram <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

We can ensure that our keypair has both of the email addresses we configured for it:

$ gpg --list-secret-keys --keyid-format LONG
sec   4096R/93D2B8D4930A5E39 2015-04-23 [expires: 2025-04-20]
uid                          Dustin Ingram <[email protected]>
uid                          Dustin Ingram <[email protected]>
ssb   4096R/E4651763864F3522 2015-04-23

Finally, be sure to remove your private key from your local machine:

$ rm keybase_private.asc

Configuring Git

The next step will be configuring Git locally.

First, we must tell Git to use the key we added to GPG in the previous step to sign commits. The key ID here is entire value after 4096R/ in the above command:

$ git config --global user.signingkey 93D2B8D4930A5E39

Next, we tell Git to globally sign every commit with this key:

$ git config --global commit.gpgsign true

Lastly, if you haven't already done this, you can tell Git to use your email address, which you added to your key:

$ git config --global "<username>"

Configuring GitHub

The last step is telling GitHub about your public key.

First, navigate to<username>/key.asc, and copy the entire key:

Then, navigate to and scroll down to GPG keys:

Click "New GPG key":

After clicking "Add GPG key", it should look like this:

Verify your commit is verified

After performing these steps, the next commit you make should look like this:

We'd love to keep in touch!

Opt in for occasional updates from us. Privacy Policy