-
Notifications
You must be signed in to change notification settings - Fork 3.1k
How to sign commits
To improve the security of the repository, we require all commits to be signed. In every pull request, a DCO app checks whether the commits are signed.
The simplest way to sign commits from a terminal is by following these steps:
- Make sure you have configured your name with
git config user.name
and email withgit config user.email
(see more details on how to configure it). - Add
-s
to every commit. For example:$ git commit -s -m "your commit message"
.
To ensure your commits are signed, when you enter the command git log
, you should see Signed-off-by: Your Name <your-github-username@users.noreply.github.com>
in the output.
GPG is a tool that allows you to sign commits. To enable GPG, follow the next steps:
- Generate a new GPG key or use an existing one.
$ gpg --full-generate-key
- Select what kind of key you want to generate. For most use cases, the default RSA and RSA is fine.
- Select the expiration date.
- Enter your name, email address and optional comment. For the email address, if you don't want to use your personal email, enter the noreply GitHub email, which is
your-github-username@users.noreply.github.com
. For the comment, you can leave it blank. - Enter a strong passphrase.
- List the GPG key
$ gpg --list-secret-keys --keyid-format LONG
The output should look like:
/Users/you/.gnupg/secring.gpg
------------------------------------
sec rsa4096/3AA5C34371567BD2 2016-03-10 [expires: 2025-03-10]
Key fingerprint = 6249 24C0 6DDE 3C20 2D79 CCB3 971A 9775 3AA5 C343
uid [ultimate] Your Name <your-github-username@users.noreply.github.com>
ssb rsa4096/DD7F 2016-03-10
Your GPG key ID is the string after rsa4096/
and before the date. In the example above, the GPG key ID is 3AA5C34371567BD2
.
- Generate the public key using the GPG key ID.
$ gpg --armor --export YOUR_GPG_KEY_ID
- Add the public key to your GitHub account. Go to your GitHub account settings and click on "SSH and GPG keys". Click on "New GPG key". Paste your public key into the "Key" field. Click on "Add GPG key".
- Configure git to use your GPG key. In the terminal, go to your repo and enter:
$ git config user.signingkey YOUR_GPG_KEY_ID
- To sign commits by default, enter the parameter
-s
before the commit message:
$ git commit -s -m "your commit message"
To ensure your commits are signed, when you enter the command git log
, you should see Signed-off-by: Your Name <your-github-username@users.noreply.github.com>
in the output.