GitHub has this feature where they can show/verify if commits have been signed by the user or not, usually you only see it when people have done changes from the web interface but it is actually possible to sign the commits that you do on your computer as well and have GitHub recognize it as a verified signature.
After following this guide it should work on all git tools unless they do something weird but I have only tested it using my personal favorite TortoiseGit and with manual git commits from the command line. If you find a tool that doesn't work with it let me know.
Begin with downloading and installing gpg4win, if you already have a version of gpg installed you can skip this step and use your version. If you don't know, use this one.
Step 1. Generating the key
With gpg installed open cmd and run the command
gpg --full-generate-key --allow-freeform-uid
You will get asked a few questions, answer them like this
Please select what kind of key you want?
Answer: 1
What keysize do you want?
Answer: 4096
Key is valid for?
Answer: 1y
note: answer 0 instead for a key that never expires
Key expires at DATE. Is this correct?
Answer: y
It will now ask your name, email and comment, answer those, you can leave comment blank. Use the same email as your github account.
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
Answer: O
In the last few lines you will see something that looks like this
pub rsa4096 2023-08-11 [SC]
4392BB8C9C5BE1B6B916D2D76A808CDE1D22E554
Write down the long hex string as you will need it later
Step 2. Add public key to GitHub
Now we generate a public key block that you will use to tell GitHub that this is your key.
You can generate this key by running the command below, replace YOUREMAIL with the email address you used when you generated the key earlier.
gpg --armor --export YOUREMAIL
You will get something that looks like this but much longer, copy it to your clipboard by marking everything and then pressing right-click
—–BEGIN PGP PUBLIC KEY BLOCK—–mQINBGTWVvcBEACkCn/5V7TS5brdAGQjrlu8acVgl9ag8DUb4teLU04v1mK/3FMF
LKzDTNoZbegZaYE83cNzMmkIyxz4+8U532BQ10pvrxKzO+41Q9ZnGOP74keNzjAb
XSKsG6IqYpwI1hh2i6e4fqI+cY+pvG/fK5P1dZM80K/G0uZeKL/mjjG8jOgoQlKb
yQiD57g=
=euVS
—–END PGP PUBLIC KEY BLOCK—–
Now go to this github page and paste the block, you can give it any title you want
https://github.com/settings/gpg/new
Step 3. Tell Git to use the key
We are now almost ready, all that is left is to tell git on your computer to actually use the key. You do that by modifing your .gitconfig file, it can be fount at "C:\Users\USERNAME\.gitconfig", replace USERNAME with your username on the computer.
To modify it open it with notepad or similar application, I prefer VSCode. Then add this, you probably already have a user block, if so just add the signingkey line to it.
SIGNINGKEY should be the hex string you saved earlier, FULLNAME is your full name and EMAIL is the email you used earlier
[user] signingkey = SIGNINGKEY name = FULLNAME email = EMAIL [commit] gpgsign = true [gpg] program = "C:/Program Files (x86)/GnuPG/bin/gpg.exe"
Save the file and you should be ready. To test it I recommend creating a dummy private repo and test that everything works ok there.
Happy scripting!