Recently while working with one of OpenSource project I have found that one of the contributor’s key/access to the GitHub has been compromised. You can’t imagine that differentiating the unauthorized commits was so tedious and hasty. Since then every contributor of the project has enabled GPG key verification on their accounts. This helped to monitor unauthorized commits to the repositories. Here’s how everyone configured GPG key verification for their commits.
For Mac users download GPG Suite and install it. It has nice UI with which you can generate GPG key or you can follow steps below commands for generating and exporting the GPG keys
Generate GPG key
List your GPG keys
gpg --list-secret-keys --keyid-format LONG
From the list of GPG keys, copy the GPG key ID you’d like to use. In this example, the GPG key ID is
/Users/hubot/.gnupg/secring.gpg ------------------------------------ sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10] uid Hubot ssb 4096R/42B317FD4BA89E7A 2016-03-10
Paste the text below, substituting in the GPG key ID you’d like to use. In this example, the GPG key ID is
gpg --armor --export 3AA5C34371567BD2 # Prints the GPG key ID, in ASCII armor format
Adding a new GPG key to your GitHub account
In the top right corner of any page, click your profile photo, then click Settings.
In the user settings sidebar, click SSH and GPG keys.
Click New GPG key.
In the “Key” field, paste the GPG key you copied when you generated your GPG key.
Click Add GPG key.
To confirm the action, enter your GitHub password.
Signing commits using GPG
When committing changes in your local branch, add the -S flag to the git commit command:
git commit -S -m your commit message # Creates a signed commit
After you create your commit, provide the passphrase you set up when you generated your GPG key.
When you’ve finished creating commits locally, push them to your remote repository on GitHub:
git push # Pushes your local commits to the remote repository
Now when you check your commits you will see the
Verified badge on your commits.