Skip to content

How to sign commits

Miguel Fierro edited this page Aug 24, 2023 · 2 revisions

Overview

To improve the security of the repository, we require all commits to be signed. In every pull request, a DCO app checks whether the commits are signed.

Simplest way to sign commits

The simplest way to sign commits from a terminal is by following these steps:

  1. Make sure you have configured your name with git config user.name and email with git config user.email (see more details on how to configure it).
  2. Add -s to every commit. For example: $ git commit -s -m "your commit message".

To ensure your commits are signed, when you enter the command git log, you should see Signed-off-by: Your Name <your-github-username@users.noreply.github.com> in the output.

Signing commits with GPG on Linux

GPG is a tool that allows you to sign commits. To enable GPG, follow the next steps:

  1. Generate a new GPG key or use an existing one.
$ gpg --full-generate-key
  1. Select what kind of key you want to generate. For most use cases, the default RSA and RSA is fine.
  2. Select the expiration date.
  3. Enter your name, email address and optional comment. For the email address, if you don't want to use your personal email, enter the noreply GitHub email, which is your-github-username@users.noreply.github.com. For the comment, you can leave it blank.
  4. Enter a strong passphrase.
  5. List the GPG key
$ gpg --list-secret-keys --keyid-format LONG

The output should look like:

/Users/you/.gnupg/secring.gpg
------------------------------------
sec   rsa4096/3AA5C34371567BD2 2016-03-10 [expires: 2025-03-10]
      Key fingerprint = 6249 24C0 6DDE 3C20 2D79  CCB3 971A 9775 3AA5 C343
uid                  [ultimate] Your Name <your-github-username@users.noreply.github.com>
ssb   rsa4096/DD7F 2016-03-10

Your GPG key ID is the string after rsa4096/ and before the date. In the example above, the GPG key ID is 3AA5C34371567BD2.

  1. Generate the public key using the GPG key ID.
$ gpg --armor --export YOUR_GPG_KEY_ID
  1. Add the public key to your GitHub account. Go to your GitHub account settings and click on "SSH and GPG keys". Click on "New GPG key". Paste your public key into the "Key" field. Click on "Add GPG key".
  2. Configure git to use your GPG key. In the terminal, go to your repo and enter:
$ git config user.signingkey YOUR_GPG_KEY_ID
  1. To sign commits by default, enter the parameter -s before the commit message:
$ git commit -s -m "your commit message"

To ensure your commits are signed, when you enter the command git log, you should see Signed-off-by: Your Name <your-github-username@users.noreply.github.com> in the output.