How to make your commit verified in github fastly

calendar Mar 6, 2024 · 2 min read · github security  ·
Share on: linkedin copy

Why I should have a commit signature verification.

If you have a pull request to an external repo, it would show a "Unverified" status ,like blow:

How could I do that fast.

The following instructions will help you config quickly to achive that.

Generate ed25519 type ssh keys.

1ssh-keygen -t ed25519 -C "[email protected]"
2# You can use all prompt default options if you like.

Add keys to ssh-agent.

1# start ssh-gaent 
2eval "$(ssh-agent -s)"
3
4# add keys
5ssh-add --apple-use-keychain ~/.ssh/id_ed25519
6ssh-add ~/.ssh/id_ed25519 # or if you are in linux to use this command

Add github identify config to ssh config.

1vi ~/.ssh/config
2# Add fllowing config in it.
3Host github.com
4 AddKeysToAgent yes
5 IdentityFile ~/.ssh/id_ed25519

Add ssh id_ed25519.pub to github must be with both sign and auth types.

Ref Github Docs: Adding a new SSH key to your GitHub account - GitHub Docs.

Setting git global config use a ssh gpgsign verify.

1   git config --global gpg.format ssh
2   git config --global user.signingkey  ~/.ssh/id_ed25519.pub
3   git config --global commit.gpgsign true

Just have a test to check if it works.

1   # add some new changes, commit and push your changes.
2   git commit -am "update cmd"
3   git push

Login to github to check commit entries, whether there is a "Verified" status . like below:

Ref:

About commit signature verification - GitHub Docs

Generating a new SSH key and adding it to the ssh-agent - GitHub Docs

Adding a new SSH key to your GitHub account - GitHub Docs

Tell Git about your signing key

Signing commits - GitHub Docs

Posts in this series