Signing Commits

Overview

Setting up Git and getting the verified signature¹ when I push commits to the repo with VS Code on Windows. TL;DR Who doesn't like the Verified tag?

Steps

Setting Up Git Identity

# Remove --global if needed
git config --global user.name $username # Can be anything
git config --global user.email $xxxx@users.noreply.github.com # Can be found in GitHub "Settings" > "Emails"

²

Generating GPG Key

1. Install Gpg4win as recommended by GitHub Docs for Windows users³
2. Open Kleopatra (Can do it in cmd instead)
   • Click "File" > "New OpenPGP Key Pair"
   • Type in "Name" and "Email address" (Match the user.name and user.email)
   • Check "Protect the generated key with a passphrase" is recommended
   • (Optional) Click "Advanced Settings..." for changing the expiration date

Configuring Git

git config --global user.signingkey $KeyID # Can be found in Kleopatra "Certificates" > "Key-ID"
git config --global commit.gpgsign true # For sign all commits by default
git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe" # Change the path if needed

⁴

Configuring GitHub

1. Go to GitHub "Settings" > "SSH and GPG keys" > "New GPG key"⁵
2. "Key" can be found in Kleopatra by double chicking the certificate > "Export"
   • It should begins with -----BEGIN PGP PUBLIC KEY BLOCK-----
3. DONE

Transferring Settings

These files might be helpful for setting up anther machine

• .gitconfig from %USERPROFILE%
• gnupg from %APPDATA%

---

Footnotes

1. About commit signature verification - GitHub Docs ↩

2. Git - First-Time Git Setup ↩

3. Signing commits - GitHub Docs ↩

4. Telling Git about your signing key - GitHub Docs ↩

5. Adding a GPG key to your GitHub account - GitHub Docs ↩