Skip to main content

How to sign your commits with a GPG key so that "Verified" badge appears next to your name on GitHub?

Β· 5 min read
Serhii Hrekov
software engineer, creator, artist, programmer, projects founder

That "Verified" badge on GitHub isn't just for show-it's a cryptographic guarantee that the code actually came from you and hasn't been tampered with. Without it, anyone can technically spoof your name and email in a Git commit.

By using GPG (GNU Privacy Guard), you "seal" your commits with a private key that only you possess. GitHub then uses your public key to verify that seal.

πŸ” The "Verified" Workflow​

1. Install GPG​

First, ensure you have the GPG command-line tools installed.

  • macOS: brew install gpg2
  • Windows: Download Gpg4win
  • Linux: sudo apt install gnupg (usually pre-installed)

2. Generate Your Key Pair​

Run the following command and follow the prompts.

gpg --full-generate-key

Pro Tips for the Prompts:

  • Kind of key: Select (1) RSA and RSA (default).
  • Key size: Choose 4096 bits for maximum security.
  • Expiration: 0 (key does not expire) or your preferred timeframe.
  • Identity: Use the exact same email address linked to your GitHub account.

3. Retrieve Your Public Key​

You need to export your public key to give it to GitHub. First, find your Key ID:

gpg --list-secret-keys --keyid-format=LONG

Look for the line starting with sec. The ID is the string of characters after the slash (e.g., 3AA5C34371567BD2). Now, export it:

gpg --armor --export 3AA5C34371567BD2
# Replace with YOUR ID

Copy everything from -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK-----.


4. Add the Key to GitHub​

  1. Go to GitHub Settings.
  2. Click SSH and GPG keys.
  3. Click New GPG key and paste your block.

5. Configure Git to Sign Locally​

Now tell your computer to use this key for every commit you make.

# Tell Git which key to use
git config --global user.signingkey 3AA5C34371567BD2

# Enable signing for ALL commits automatically
git config --global commit.gpgsign true

Windows/macOS Note: If you get an error like gpg: signing failed: Inappropriate ioctl for device, add export GPG_TTY=$(tty) to your .bashrc or .zshrc file.


πŸ› οΈ Testing the Badge​

Make a small change, commit it, and push:

git commit -m "Testing my new verified badge"
git push

If you check your commit history on GitHub now, you should see that beautiful green Verified button next to your name!


πŸ“š Sources & Technical Refs​


πŸ“‹ Troubleshooting Checklist​

IssueSolution
No "Verified" badge?Ensure the email in gpg matches your GitHub email exactly.
Asking for password every time?Use a GPG Agent (like Keychain on Mac) to cache the passphrase.
Commit fails?Check if gpg is in your system PATH using which gpg.
Windows "Inappropriate ioctl" error?Add export GPG_TTY=$(tty) to your shell config file.